On Randomizing Hash Functions to Strengthen the Security of Digital Signatures

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5479)


Halevi and Krawczyk proposed a message randomization algorithm called RMX as a front-end tool to the hash-then-sign digital signature schemes such as DSS and RSA in order to free their reliance on the collision resistance property of the hash functions. They have shown that to forge a RMX-hash-then-sign signature scheme, one has to solve a cryptanalytical task which is related to finding second preimages for the hash function. In this article, we will show how to use Dean’s method of finding expandable messages for finding a second preimage in the Merkle-Damgård hash function to existentially forge a signature scheme based on a t-bit RMX-hash function which uses the Davies-Meyer compression functions (e.g., MD4, MD5, SHA family) in 2 t/2 chosen messages plus 2 t/2 + 1 off-line operations of the compression function and similar amount of memory. This forgery attack also works on the signature schemes that use Davies-Meyer schemes and a variant of RMX published by NIST in its Draft Special Publication (SP) 800-106. We discuss some important applications of our attack.


Digital signatures Hash functions Davies-Meyer RMX 


  1. 1.
    Akl, S.G.: On the Security of Compressed Encodings. In: Chaum, D. (ed.) Advances in Cryptology: Proceedings of Crypto 1993, pp. 209–230. Plenum Press, New York (1983)Google Scholar
  2. 2.
    Anderson, R., Biham, E.: Tiger: A Fast New Hash Function. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 89–97. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  3. 3.
    ANSI. ANSI X9.62:2005: Public Key Cryptography for the Financial Services Industry, The Elliptic Curve Digital Signature Algorithm (ECDSA) (2005)Google Scholar
  4. 4.
    Bellare, M., Canetti, R., Krawczyk, H.: Keying hash functions for message authentication. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 1–15. Springer, Heidelberg (1996)Google Scholar
  5. 5.
    Bellare, M., Rogaway, P.: Collision-resistant hashing: Towards making uOWHFs practical. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 470–484. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  6. 6.
    Bellovin, S., Rescorla, E.: Deploying a New Hash Algorithm. In: Proceedings of NDSS. Internet Society (Feburary 2006)Google Scholar
  7. 7.
    Biham, E., Dunkelman, O.: A Framework for Iterative Hash Functions - HAIFA. Cryptology ePrint Archive, Report 2007/278 (2007) (Accessed on May 14, 2008),
  8. 8.
    Boneh, D., Boyen, X.: Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups. Journal of Cryptology 21(2), 149–177 (2008)MathSciNetCrossRefzbMATHGoogle Scholar
  9. 9.
    Damgård, I.B.: A design principle for hash functions. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 416–427. Springer, Heidelberg (1990)Google Scholar
  10. 10.
    Dang, Q.: NIST Special Publication 800-106 Draft Randomized Hashing Digital Signatures (2007) (Accessed on July 21, 2008),
  11. 11.
    Dang, Q.: Draft NIST Special Publication 800-106 Draft Randomized Hashing Digital Signatures (2008) (Accessed on August 6, 2008),
  12. 12.
    Dang, Q., Perlner, R.: Personal communication (October 2008)Google Scholar
  13. 13.
    Davies, D., Price, W.: Security for Computer Networks. John Wiley, Chichester (1984)Google Scholar
  14. 14.
    Davies, D.W., Price, W.L.: The Application of Digital Signatures Based on Public-Key Cryptosystems. In: Proc. Fifth Intl. Computer Communications Conference, pp. 525–530 (October 1980)Google Scholar
  15. 15.
    Dean, R.D.: Formal Aspects of Mobile Code Security. PhD thesis, Princeton University (1999)Google Scholar
  16. 16.
    Gauravaram, P., Knudsen, L.R., Matusiewicz, K., Mendel, F., Rechberger, C., Schläffer, M., Thomsen, S.S.: Grøstl – A SHA-3 Candidate. First Round of NIST’s SHA-3 Competition (2008) (Accessed on January 5, 2009),
  17. 17.
    Gauravaram, P., McCullagh, A., Dawson, E.: Collision Attacks on MD5 and SHA-1: Is this the “Sword of Damocles” for Electronic Commerce? In: Clark, A., McPherson, M., Mohay, G. (eds.) AusCERT Conference Refereed R & D Stream, pp. 1–13 (2006)Google Scholar
  18. 18.
    Goldwasser, S., Micali, S., Rivest, R.L.: A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks. SIAM Journal on Computing 17(2), 281–308 (1988)MathSciNetCrossRefzbMATHGoogle Scholar
  19. 19.
    Halevi, S., Krawczyk, H.: Strengthening digital signatures via randomized hashing. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 41–59. Springer, Heidelberg (2006), CrossRefGoogle Scholar
  20. 20.
    Halevi, S., Krawczyk, H.: The RMX Transform and Digital Signatures (2006) (Accessed on July 30, 2008),
  21. 21.
    Halevi, S., Shao, W., Krawczyk, H., Boneh, D., McIntosh, M.: Implementing the Halevi-Krawczyk Randomized Hashing Scheme (2007) (Accessed on July 28, 2008),
  22. 22.
    Hohl, W., Lai, X., Meier, T., Waldvogel, C.: Security of Iterated Hash Functions Based on Block Ciphers. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 379–390. Springer, Heidelberg (1994)CrossRefGoogle Scholar
  23. 23.
    Kelsey, J., Schneier, B.: Second preimages on n-bit hash functions for much less than 2n work. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 474–490. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  24. 24.
    Lenstra, A.K., de Weger, B.: On the Possibility of Constructing Meaningful Hash Collisions for Public Keys. In: Boyd, C., González Nieto, J.M. (eds.) ACISP 2005. LNCS, vol. 3574, pp. 267–279. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  25. 25.
    Lucks, S.: A failure-friendly design principle for hash functions. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 474–494. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  26. 26.
    Merkle, R.C.: One way hash functions and DES. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 428–446. Springer, Heidelberg (1990)Google Scholar
  27. 27.
    Mironov, I.: Collision-Resistant No More: Hash-and-Sign Paradigm Revisited. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T.G. (eds.) PKC 2006. LNCS, vol. 3958, pp. 140–156. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  28. 28.
    Miyaguchi, S., Ohta, K., Iwata, M.: Confirmation that Some Hash Functions Are Not Collision Free. In: Damgård, I.B. (ed.) EUROCRYPT 1990. LNCS, vol. 473, pp. 326–343. Springer, Heidelberg (1991)CrossRefGoogle Scholar
  29. 29.
    NIST. FIPS PUB 186-2: Digital Signature Standard (DSS) (January 2000) (Accessed on August 15, 2008),
  30. 30.
    NIST. FIPS PUB 180-2-Secure Hash Standard (August 2002) (Accessed on May 18, 2008),
  31. 31.
    NIST. Announcing Request for Candidate Algorithm Nominations for a New Cryptographic Hash Algorithm (SHA-3) Family. Docket No: 070911510-7512-01 (November 2007)Google Scholar
  32. 32.
    NIST. Draft FIPS PUB 186-3: Digital Signature Standard (2008) (Accessed on January 4, 2008),
  33. 33.
    Pasini, S., Vaudenay, S.: Hash-and-Sign with Weak Hashing Made Secure. In: Pieprzyk, J., Ghodosi, H., Dawson, E. (eds.) ACISP 2007. LNCS, vol. 4586, pp. 338–354. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  34. 34.
    Preneel, B., Govaerts, R., Vandewalle, J.: Hash functions based on block ciphers: A synthetic approach. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 368–378. Springer, Heidelberg (1994)CrossRefGoogle Scholar
  35. 35.
    Rivest, R.L.: The MD4 Message Digest Algorithm. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 303–311. Springer, Heidelberg (1991)Google Scholar
  36. 36.
    Rivest, R.: The MD5 Message-Digest Algorithm. Internet Request for Comment RFC 1321, Internet Engineering Task Force (April 1992)Google Scholar
  37. 37.
    RSA Laboratories. PKCS #1 v2.1: RSA Cryptography Standard. RSA Data Security, Inc. (June 2002) (Accessed on August 15, 2008),
  38. 38.
    Sotirov, A., Stevens, M., Appelbaum, J., Lenstra, A., Molnar, D., Osvik, D.A., de Weger, B.: MD5 Considered Harmful Today Creating A Rogue CA Certificate. Presented at 25th Annual Chaos Communication Congress (2008) (Accessed on January 3, 2009),
  39. 39.
    Stevens, M., Lenstra, A.K., de Weger, B.: Chosen-prefix collisions for MD5 and colliding X.509 certificates for different identities. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 1–22. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  40. 40.
    Wang, X., Yin, Y.L., Yu, H.: Finding collisions in the full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  41. 41.
    Wang, X., Yu, H.: How to break MD5 and other hash functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  42. 42.
    Yasuda, K.: How to Fill Up Merkle-Damgård Hash Functions. In: Pieprzyk, J. (ed.) Advances in Cryptology - ASIACRYPT 2008. LNCS, vol. 5350, pp. 272–289. Springer, Heidelberg (2008)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  1. 1.Department of MathematicsTechnical University of DenmarkLyngbyDenmark

Personalised recommendations