Salvaging Merkle-Damgård for Practical Applications

Authors:
Yevgeniy Dodis;Thomas Ristenpart;Thomas Shrimpton
Affiliations:
Dept. of Computer Science, New York University,;Dept. of Computer Science & Engineering, University of California San Diego,;Dept. of Computer Science, Portland State University Faculty of Informatics, University of Lugano,
Venue:
EUROCRYPT '09 Proceedings of the 28th Annual International Conference on Advances in Cryptology: the Theory and Applications of Cryptographic Techniques
Year:
2009

Citing 28
Cited 18

How to prove yourself: practical solutions to identification and signature problems

Proceedings on Advances in cryptology---CRYPTO '86
Random oracles are practical: a paradigm for designing efficient protocols

CCS '93 Proceedings of the 1st ACM conference on Computer and communications security
On the existence of statistically hiding bit commitment schemes and fail-stop signatures

CRYPTO '93 Proceedings of the 13th annual international cryptology conference on Advances in cryptology
Hash functions based on block ciphers: a synthetic approach

CRYPTO '93 Proceedings of the 13th annual international cryptology conference on Advances in cryptology
Identity-Based Encryption from the Weil Pairing

CRYPTO '01 Proceedings of the 21st Annual International Cryptology Conference on Advances in Cryptology
Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV

CRYPTO '02 Proceedings of the 22nd Annual International Cryptology Conference on Advances in Cryptology
A Design Principle for Hash Functions

CRYPTO '89 Proceedings of the 9th Annual International Cryptology Conference on Advances in Cryptology
One Way Hash Functions and DES

CRYPTO '89 Proceedings of the 9th Annual International Cryptology Conference on Advances in Cryptology
Optimal Security Proofs for PSS and Other Signature Schemes

EUROCRYPT '02 Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques: Advances in Cryptology
Short Signatures from the Weil Pairing

ASIACRYPT '01 Proceedings of the 7th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
The random oracle methodology, revisited

Journal of the ACM (JACM)
A Forward-Secure Public-Key Encryption Scheme

Journal of Cryptology
Extractable Perfectly One-Way Functions

ICALP '08 Proceedings of the 35th international colloquium on Automata, Languages and Programming, Part II
Building a Collision-Resistant Compression Function from Non-compressing Primitives

ICALP '08 Proceedings of the 35th international colloquium on Automata, Languages and Programming, Part II
Constructing Cryptographic Hash Functions from Fixed-Key Blockciphers

CRYPTO 2008 Proceedings of the 28th Annual conference on Cryptology: Advances in Cryptology
Leaky Random Oracle (Extended Abstract)

ProvSec '08 Proceedings of the 2nd International Conference on Provable Security
Towards a Theory of Extractable Functions

TCC '09 Proceedings of the 6th Theory of Cryptography Conference on Theory of Cryptography
The exact security of digital signatures-how to sign with RSA and Rabin

EUROCRYPT'96 Proceedings of the 15th annual international conference on Theory and application of cryptographic techniques
A simple variant of the Merkle-Damgård scheme with a permutation

ASIACRYPT'07 Proceedings of the Advances in Crypotology 13th international conference on Theory and application of cryptology and information security
How to build a hash function from any collision-resistant function

ASIACRYPT'07 Proceedings of the Advances in Crypotology 13th international conference on Theory and application of cryptology and information security
A new mode of operation for block ciphers and length-preserving MACs

EUROCRYPT'08 Proceedings of the theory and applications of cryptographic techniques 27th annual international conference on Advances in cryptology
Security/efficiency tradeoffs for permutation-based hashing

EUROCRYPT'08 Proceedings of the theory and applications of cryptographic techniques 27th annual international conference on Advances in cryptology
Getting the best out of existing hash functions; or what if we are stuck with SHA?

ACNS'08 Proceedings of the 6th international conference on Applied cryptography and network security
Multi-property-preserving hash domain extension and the EMD transform

ASIACRYPT'06 Proceedings of the 12th international conference on Theory and Application of Cryptology and Information Security
Some plausible constructions of double-block-length hash functions

FSE'06 Proceedings of the 13th international conference on Fast Software Encryption
Merkle-Damgård revisited: how to construct a hash function

CRYPTO'05 Proceedings of the 25th annual international conference on Advances in Cryptology
Provably secure double-block-length hash functions in a black-box model

ICISC'04 Proceedings of the 7th international conference on Information Security and Cryptology
Hash functions in the dedicated-key setting: design choices and MPP transforms

ICALP'07 Proceedings of the 34th international conference on Automata, Languages and Programming

A Modular Design for Hash Functions: Towards Making the Mix-Compress-Mix Approach Practical

ASIACRYPT '09 Proceedings of the 15th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
How to Confirm Cryptosystems Security: The Original Merkle-Damgård Is Still Alive!

ASIACRYPT '09 Proceedings of the 15th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Indifferentiability Characterization of Hash Functions and Optimal Bounds of Popular Domain Extensions

INDOCRYPT '09 Proceedings of the 10th International Conference on Cryptology in India: Progress in Cryptology
Security analysis of the mode of JH hash function

FSE'10 Proceedings of the 17th international conference on Fast software encryption
On the indifferentiability of the Grøstl hash function

SCN'10 Proceedings of the 7th international conference on Security and cryptography for networks
Some observations on indifferentiability

ACISP'10 Proceedings of the 15th Australasian conference on Information security and privacy
Security reductions of the second round SHA-3 candidates

ISC'10 Proceedings of the 13th international conference on Information security
Careful with composition: limitations of the indifferentiability framework

EUROCRYPT'11 Proceedings of the 30th Annual international conference on Theory and applications of cryptographic techniques: advances in cryptology
On the security of hash functions employing blockcipher postprocessing

FSE'11 Proceedings of the 18th international conference on Fast software encryption
Security of practical cryptosystems using Merkle-Damgård hash function in the ideal cipher model

ProvSec'11 Proceedings of the 5th international conference on Provable security
From extractable collision resistance to succinct non-interactive arguments of knowledge, and back again

Proceedings of the 3rd Innovations in Theoretical Computer Science Conference
Multi-property-preserving domain extension using polynomial-based modes of operation

EUROCRYPT'10 Proceedings of the 29th Annual international conference on Theory and Applications of Cryptographic Techniques
The first 30 years of cryptographic hash functions and the NIST SHA-3 competition

CT-RSA'10 Proceedings of the 2010 international conference on Topics in Cryptology
Blockcipher-Based double-length hash functions for pseudorandom oracles

SAC'11 Proceedings of the 18th international conference on Selected Areas in Cryptography
Black-box property of cryptographic hash functions

FPS'11 Proceedings of the 4th Canada-France MITACS conference on Foundations and Practice of Security
On the public indifferentiability and correlation intractability of the 6-round feistel construction

TCC'12 Proceedings of the 9th international conference on Theory of Cryptography
Security analysis and comparison of the SHA-3 finalists BLAKE, grøstl, JH, keccak, and skein

AFRICACRYPT'12 Proceedings of the 5th international conference on Cryptology in Africa
Indifferentiability of domain extension modes for hash functions

INTRUST'11 Proceedings of the Third international conference on Trusted Systems

Quantified Score

Hi-index	0.00

Visualization

Abstract

Many cryptographic applications of hash functions are analyzed in the random oracle model. Unfortunately, most concrete hash functions, including the SHA family, use the iterative (strengthened) Merkle-Damgård transform applied to a corresponding compression function. Moreover, it is well known that the resulting "structured" hash function cannot be generically used as a random oracle, even if the compression function is assumed to be ideal. This leaves a large disconnect between theory and practice: although no attack is known for many concrete applications utilizing existing (Merkle-Damgård based) hash functions, there is no security guarantee either, even by idealizing the compression function. Motivated by this question, we initiate a rigorous and modular study of developing new notions of (still idealized) hash functions which would be (a) natural and elegant; (b) sufficient for arguing security of important applications; and (c) provably met by the (strengthened) Merkle-Damgård transform, applied to a "strong enough" compression function. In particular, we develop two such notions satisfying (a)-(c): a preimage aware function ensures that the attacker cannot produce a "useful" output of the function without already "knowing" the corresponding preimage, and a public-use random oracle , which is a random oracle that reveals to attackers messages queried by honest parties.