Formalizing Human Ignorance

Collision-Resistant Hashing Without the Keys
  • Phillip Rogaway
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4341)


There is a rarely mentioned foundational problem involving collision-resistant hash-functions: common constructions are keyless, but formal definitions are keyed. The discrepancy stems from the fact that a function H : {0,1}* → {0,1} n always admits an efficient collision-finding algorithm, it’s just that us human beings might be unable to write the program down. We explain a simple way to sidestep this difficulty that avoids having to key our hash functions. The idea is to state theorems in a way that prescribes an explicitly-given reduction, normally a black-box one. We illustrate this approach using well-known examples involving digital signatures, pseudorandom functions, and the Merkle-Damgård construction.


Hash Function Signature Scheme Theorem Statement Message Authentication Code Message Space 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bellare, M., Guerin, R., Rogaway, P.: XOR MACs: New methods for message authentication using finite pseudorandom functions. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 15–28. Springer, Heidelberg (1995)Google Scholar
  2. 2.
    Bellare, M., Kilian, J., Rogaway, P.: The security of the cipher block chaining message authentication code. J. of Computer and System Sciences (JCSS) 61(3), 362–399 (2000)MATHCrossRefMathSciNetGoogle Scholar
  3. 3.
    Bellare, M., Rogaway, P.: Collision-resistant hashing: towards making UOWHFs practical. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 470–484. Springer, Heidelberg (1997)Google Scholar
  4. 4.
    Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: First ACM Conference on Computer and Communications Security (CCS 1993), pp. 62–73. ACM Press, New York (1993)CrossRefGoogle Scholar
  5. 5.
    Brown, D.: Generic groups, collision resistance, and ECDSA. Designs, Codes and Cryptography 35(1), 119–152 (2005)MATHCrossRefMathSciNetGoogle Scholar
  6. 6.
    Cipolla, C.: Le leggi fondamentali della stupidità (The fundamental laws of human stupidity). In: Allegro ma non troppo con Le leggi fondamentali della stupidità, Società editrice il Malino, Bologna (1988)Google Scholar
  7. 7.
    Damgård, I.: Collision free hash functions and public key signature schemes. In: Price, W.L., Chaum, D. (eds.) EUROCRYPT 1987. LNCS, vol. 304, pp. 203–216. Springer, Heidelberg (1988)Google Scholar
  8. 8.
    Damgård, I.: A design principle for hash functions. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 416–427. Springer, Heidelberg (1990)Google Scholar
  9. 9.
    De Santis, A., Yung, M.: On the design of provably secure cryptographic hash functions. In: Damgård, I.B. (ed.) EUROCRYPT 1990. LNCS, vol. 473, pp. 412–431. Springer, Heidelberg (1991)Google Scholar
  10. 10.
    Devanbu, P., Gertz, M., Kwong, A., Martel, C., Nuckolls, G., Stubblebine, S.: Flexible authentication of XML documents. J. of Computer Security 12(6), 841–864 (2004)Google Scholar
  11. 11.
    Goldreich, O., Krawczyk, H.: On the composition of zero-knowledge proof systems. SIAM Journal on Computing 25(1), 169–192 (1997)CrossRefMathSciNetGoogle Scholar
  12. 12.
    Goldreich, O., Oren, Y.: Definitions and properties of zero-knowledge proof systems. J. of Cryptology 7(1), 1–32 (1994)MATHMathSciNetGoogle Scholar
  13. 13.
    Goldwasser, S., Micali, S.: Probabilistic encryption. J. Comput. Syst. Sci. (2), 270–299 (1984); Earlier version in STOC 1982Google Scholar
  14. 14.
    Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof systems. SIAM Journal on Computing 18(1), 186–208 (1989)MATHCrossRefMathSciNetGoogle Scholar
  15. 15.
    Goldwasser, S., Micali, S., Rivest, R.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. on Comp. 17, 281–308 (1988)MATHCrossRefMathSciNetGoogle Scholar
  16. 16.
    Halevi, S., Krawczyk, H.: Strengthening digital signatures by randomized hashing. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 41–59. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  17. 17.
    Merkle, R.: Method of providing digital signatures. US Patent #4,309,569 (1982)Google Scholar
  18. 18.
    Merkle, R.: One way hash functions and DES. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 428–446. Springer, Heidelberg (1990)Google Scholar
  19. 19.
    Merkle, R.: Protocols for public key cryptosystems. In: Proceedings of the 1980 IEEE Symposium on Security and Privacy, pp. 122–134. IEEE Press, Los Alamitos (1980)Google Scholar
  20. 20.
    Matyas, S., Meyer, C., Oseas, J.: Generating strong one-way functions with cryptographic algorithm. IBM Tech. Disclosure Bulletin 27, 5658–5659 (1985)Google Scholar
  21. 21.
    National Institute of Standards and Technology. FIPS PUB 180-2, Secure Hash Standard (August 1, 2002)Google Scholar
  22. 22.
    Oren, Y.: On the cunning power of cheating verifiers: some observations about zero-knowledge proofs. In: 28th Annual Symposium on the Foundations of Computer Science (FOCS 1987), pp. 462–471. IEEE Computer Society Press, Los Alamitos (1987)CrossRefGoogle Scholar
  23. 23.
    Rabin, M.: Digital signatures. In: DeMillo, R., Dobkin, D., Jones, A., Lipton, R. (eds.) Foundations of secure computation, pp. 155–168. Academic Press, London (1978)Google Scholar
  24. 24.
    Reingold, O., Trevisan, L., Vadhan, S.: Notions of reducibility between cryptographic primitives. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 1–20. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  25. 25.
    Rivest, R.: The MD4 message digest algorithm. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 303–311. Springer, Heidelberg (1991)Google Scholar
  26. 26.
    Rogaway, P., Shrimpton, T.: Cryptographic hash-function basics: definitions, implications, and separations for preimage resistance, second-preimage resistance, and collision resistance. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 371–388. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  27. 27.
    Russell, A.: Necessary and sufficient conditions for collision-free hashing. J. of Cryptology 8(2), 87–99 (1995)MATHGoogle Scholar
  28. 28.
    Wang, X., Lai, X., Feng, D., Chen, H., Yu, X.: Cryptanalysis of the hash functions MD4 and RIPEMD. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 1–18. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  29. 29.
    Wang, X., Yin, Y., Yu, H.: Finding Collisions in the Full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005)Google Scholar
  30. 30.
    Winternitz, R.: A secure one-way hash function built from DES. In: Proceedings of the IEEE Symposium on Inf. Security and Privacy, pp. 88–90. IEEE Press, Los Alamitos (1984)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Phillip Rogaway
    • 1
    • 2
  1. 1.Dept. of Computer ScienceUniversity of CaliforniaDavisUSA
  2. 2.Dept. of Computer ScienceChiang Mai UniversityChiang MaiThailand

Personalised recommendations