Domain Extension for Enhanced Target Collision-Resistant Hash Functions

  • Ilya Mironov
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6147)


We answer the question of Reyhanitabar et al. from FSE’09 of constructing a domain extension scheme for enhanced target collision-resistant (eTCR) hash functions with sublinear key expansion. The eTCR property, introduced by Halevi and Krawczyk [1], is a natural fit for hash-and-sign signature schemes, offering an attractive alternative to collision-resistant hash functions. We prove a new composition theorem for eTCR, and demonstrate that eTCR compression functions exist if and only if one-way functions do.


  1. 1.
    Halevi, S., Krawczyk, H.: Strengthening digital signatures via randomized hashing. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 41–59. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  2. 2.
    Reyhanitabar, M.R., Susilo, W., Mu, Y.: Enhanced target collision resistant hash functions revisited. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 327–344. Springer, Heidelberg (2009); Full version available at Cryptology ePrint Archive, Report 2009/506CrossRefGoogle Scholar
  3. 3.
    Rabin, M.O.: Digitalized signatures and public-key functions as intractable as factorization. Technical Memo MIT/LCS/TR-212, MIT (January 1979)Google Scholar
  4. 4.
    Davies, D.W., Price, W.L.: The application of digital signatures based on public-key cryptosystems. In: Salz, J. (ed.) Proceedings of the Fifth Intl. Conference on Computer Communications, pp. 525–530 (1980)Google Scholar
  5. 5.
    Damgård, I.: Collision free hash functions and public key signature schemes. In: Price, W.L., Chaum, D. (eds.) EUROCRYPT 1987. LNCS, vol. 304, pp. 203–216. Springer, Heidelberg (1988)Google Scholar
  6. 6.
    Kaliski Jr., B.S.: The MD2 message-digest algorithm. RFC 1115, The Internet Engineering Task Force (April 1992)Google Scholar
  7. 7.
    Rivest, R.L.: The MD5 message-digest algorithm. RFC 1321, The Internet Engineering Task Force (April 1992)Google Scholar
  8. 8.
    National Institute of Standards and Technology: Secure hash standard (SHS) (May 1993)Google Scholar
  9. 9.
    Fiat, A., Shamir, A.: How to prove yourself: Practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987)Google Scholar
  10. 10.
    Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for designing efficient protocols. In: ACM Conference on Computer and Communications Security, pp. 62–73 (1993)Google Scholar
  11. 11.
    Goldwasser, S., Micali, S., Rivest, R.L.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM Journal on Computing 17, 281–308 (1988)MATHCrossRefMathSciNetGoogle Scholar
  12. 12.
    Naor, M., Yung, M.: Universal one-way hash functions and their cryptographic applications. In: Proceedings of the Twenty First Annual ACM Symposium on Theory of Computing, May 15–17, pp. 33–43 (1989)Google Scholar
  13. 13.
    Rompel, J.: One-way functions are necessary and sufficient for secure signatures. In: Proceedings of the Twenty Second Annual ACM Symposium on Theory of Computing, May 14–16, 1990, pp. 387–394 (1990)Google Scholar
  14. 14.
    Katz, J., Koo, C.Y.: On constructing universal one-way hash functions from arbitrary one-way functions. J. Cryptology (to appear); Available on Cryptology ePrint Archive, Report 2005/328Google Scholar
  15. 15.
    Haitner, I., Holenstein, T., Reingold, O., Vadhan, S., Wee, H.: Universal one-way hash functions via inaccessible entropy. In: Advances in Cryptology—EUROCRYPT 2010 (to appear, 2010); Available on Cryptology ePrint Archive, Report 2010/120Google Scholar
  16. 16.
    Simon, D.R.: Finding collisions on a one-way street: Can secure hash functions be based on general assumptions? In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 334–345. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  17. 17.
    Wang, X., Lai, X., Feng, D., Chen, H., Yu, X.: Cryptanalysis of the hash functions MD4 and RIPEMD. In: [46], pp. 1–18Google Scholar
  18. 18.
    Wang, X., Yu, H.: How to break MD5 and other hash functions. In: [46], pp. 19–35Google Scholar
  19. 19.
    Wang, X., Yu, H., Yin, Y.L.: Efficient collision search attacks on SHA-0. In: [48], pp. 1–16Google Scholar
  20. 20.
    Wang, X., Yin, Y.L., Yu, H.: Finding collisions in the full SHA-1. In: [48], pp. 17–36Google Scholar
  21. 21.
    Cramer, R., Shoup, V.: Signature schemes based on the strong RSA assumption. ACM Trans. on Information and System Security (TISSEC) 3(3), 161–185 (2000)CrossRefGoogle Scholar
  22. 22.
    Mironov, I.: Collision-resistant no more: Hash-and-sign paradigm revisited. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T.G. (eds.) PKC 2006. LNCS, vol. 3958, pp. 140–156. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  23. 23.
    Pasini, S., Vaudenay, S.: Hash-and-sign with weak hashing made secure. In: Pieprzyk, J., Ghodosi, H., Dawson, E. (eds.) ACISP 2007. LNCS, vol. 4586, pp. 338–354. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  24. 24.
    Dang, Q.: Randomized hashing for digital signatures. NIST Special Publication 800-106, National Institute of Standards and Technology (February 2009)Google Scholar
  25. 25.
    Halevi, S., Krawczyk, H.: Strengthening digital signatures via randomized hashing. Internet Draft draft-irtf-cfrg-rhash-01, Internet Engineering Task Force (October 2007) (Work in progress)Google Scholar
  26. 26.
    Merkle, R.C.: One way hash functions and DES. In: [47], pp. 428–446Google Scholar
  27. 27.
    Damgård, I.: A design principle for hash functions. In: [47], pp. 416–427Google Scholar
  28. 28.
    Gauravaram, P., Knudsen, L.R.: On randomizing hash functions to strengthen the security of digital signatures, pp. 88–105Google Scholar
  29. 29.
    Yasuda, K.: How to fill up Merkle-Damgård hash functions. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 272–289. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  30. 30.
    Biham, E., Chen, R., Joux, A., Carribault, P., Lemuet, C., Jalby, W.: Collisions of SHA-0 and reduced SHA-1. In: [46], pp. 36–57Google Scholar
  31. 31.
    Joux, A.: Multicollisions in iterated hash functions. Application to cascaded constructions. In: Franklin, M.K. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 306–316. Springer, Heidelberg (2004)Google Scholar
  32. 32.
    Kelsey, J., Schneier, B.: Second preimages on n-bit hash functions for much less than 2n work. In: [46], pp. 474–490Google Scholar
  33. 33.
    Kelsey, J., Kohno, T.: Herding hash functions and the Nostradamus attack. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 183–200. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  34. 34.
    Bellare, M., Rogaway, P.: ion-resistant hashing: Towards making UOWHFs practical. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 470–484. Springer, Heidelberg (1997)Google Scholar
  35. 35.
    Wegman, M.N., Carter, L.: New hash functions and their use in authentication and set equality. J. Comput. Syst. Sci. 22(3), 265–279 (1981)MATHCrossRefMathSciNetGoogle Scholar
  36. 36.
    Dodis, Y., Haitner, I.: Private communicationGoogle Scholar
  37. 37.
    Shoup, V.: A composition theorem for universal one-way hash functions. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 445–452. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  38. 38.
    Mironov, I.: Hash functions: From Merkle-Damgård to Shoup. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 166–181. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  39. 39.
    Sarkar, P.: Masking based domain extenders for UOWHFs: Bounds and constructions. IEEE Transactions on Information Theory 51(12), 4299–4311 (2005)CrossRefGoogle Scholar
  40. 40.
    Sarkar, P.: Construction of universal one-way hash functions: Tree hashing revisited. Discrete Applied Mathematics 155(16), 2174–2180 (2007)MATHCrossRefMathSciNetGoogle Scholar
  41. 41.
    Sarkar, P.: Domain extender for collision resistant hash functions: Improving upon Merkle-Damgård iteration. Discrete Applied Mathematics 157(5), 1086–1097 (2009)MATHCrossRefMathSciNetGoogle Scholar
  42. 42.
    Bellare, M., Ristenpart, T.: Multi-property-preserving hash domain extension and the EMD transform. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 299–314. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  43. 43.
    Andreeva, E., Neven, G., Preneel, B., Shrimpton, T.: Seven-property-preserving iterated hashing: ROX. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 130–146. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  44. 44.
    Bellare, M., Ristenpart, T.: Hash functions in the dedicated-key setting: Design choices and MPP transforms. In: Arge, L., Cachin, C., Jurdziński, T., Tarlecki, A. (eds.) ICALP 2007. LNCS, vol. 4596, pp. 399–410. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  45. 45.
    Impagliazzo, R., Naor, M.: Efficient cryptographic schemes provably as secure as subset sum. J. Cryptology 9(4), 199–216 (1996)MATHCrossRefMathSciNetGoogle Scholar
  46. 46.
    Cramer, R. (ed.): EUROCRYPT 2005. LNCS, vol. 3494. Springer, Heidelberg (2005)MATHGoogle Scholar
  47. 47.
    Brassard, G. (ed.): CRYPTO 1989. LNCS, vol. 435. Springer, Heidelberg (1990)MATHGoogle Scholar
  48. 48.
    Shoup, V. (ed.): CRYPTO 2005. LNCS, vol. 3621. Springer, Heidelberg (2005)MATHGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Ilya Mironov
    • 1
  1. 1.Microsoft ResearchSilicon Valley Campus 

Personalised recommendations