Random oracles are practical: a paradigm for designing efficient protocols
CCS '93 Proceedings of the 1st ACM conference on Computer and communications security
The random oracle methodology, revisited (preliminary version)
STOC '98 Proceedings of the thirtieth annual ACM symposium on Theory of computing
RSA-OAEP Is Secure under the RSA Assumption
CRYPTO '01 Proceedings of the 21st Annual International Cryptology Conference on Advances in Cryptology
A Design Principle for Hash Functions
CRYPTO '89 Proceedings of the 9th Annual International Cryptology Conference on Advances in Cryptology
One Way Hash Functions and DES
CRYPTO '89 Proceedings of the 9th Annual International Cryptology Conference on Advances in Cryptology
SWIFFT: A Modest Proposal for FFT Hashing
Fast Software Encryption
Building a Collision-Resistant Compression Function from Non-compressing Primitives
ICALP '08 Proceedings of the 35th international colloquium on Automata, Languages and Programming, Part II
Robust Multi-property Combiners for Hash Functions Revisited
ICALP '08 Proceedings of the 35th international colloquium on Automata, Languages and Programming, Part II
Salvaging Merkle-Damgård for Practical Applications
EUROCRYPT '09 Proceedings of the 28th Annual International Conference on Advances in Cryptology: the Theory and Applications of Cryptographic Techniques
The exact security of digital signatures-how to sign with RSA and Rabin
EUROCRYPT'96 Proceedings of the 15th annual international conference on Theory and application of cryptographic techniques
Universally composable security with global setup
TCC'07 Proceedings of the 4th conference on Theory of cryptography
Domain extension of public random functions: beyond the birthday Barrier
CRYPTO'07 Proceedings of the 27th annual international cryptology conference on Advances in cryptology
Seven-property-preserving iterated hashing: ROX
ASIACRYPT'07 Proceedings of the Advances in Crypotology 13th international conference on Theory and application of cryptology and information security
How to build a hash function from any collision-resistant function
ASIACRYPT'07 Proceedings of the Advances in Crypotology 13th international conference on Theory and application of cryptology and information security
On the indifferentiability of the sponge construction
EUROCRYPT'08 Proceedings of the theory and applications of cryptographic techniques 27th annual international conference on Advances in cryptology
Multi-property preserving combiners for hash functions
TCC'08 Proceedings of the 5th conference on Theory of cryptography
Multi-property-preserving hash domain extension and the EMD transform
ASIACRYPT'06 Proceedings of the 12th international conference on Theory and Application of Cryptology and Information Security
VIETCRYPT'06 Proceedings of the First international conference on Cryptology in Vietnam
Merkle-Damgård revisited: how to construct a hash function
CRYPTO'05 Proceedings of the 25th annual international conference on Advances in Cryptology
VSH, an efficient and provable collision-resistant hash function
EUROCRYPT'06 Proceedings of the 24th annual international conference on The Theory and Applications of Cryptographic Techniques
Careful with composition: limitations of the indifferentiability framework
EUROCRYPT'11 Proceedings of the 30th Annual international conference on Theory and applications of cryptographic techniques: advances in cryptology
Energy-Efficient cryptographic engineering paradigm
iNetSec'11 Proceedings of the 2011 IFIP WG 11.4 international conference on Open Problems in Network Security
Hi-index | 0.00 |
The design of cryptographic hash functions is a very complex and failure-prone process. For this reason, this paper puts forward a completely modular and fault-tolerant approach to the construction of a full-fledged hash function from an underlying simpler hash function H and a further primitive F (such as a block cipher), with the property that collision resistance of the construction only relies on H , whereas indifferentiability from a random oracle follows from F being ideal. In particular, the failure of one of the two components must not affect the security property implied by the other component. The Mix-Compress-Mix (MCM) approach by Ristenpart and Shrimpton (ASIACRYPT 2007) envelops the hash function H between two injective mixing steps, and can be interpreted as a first attempt at such a design. However, the proposed instantiation of the mixing steps, based on block ciphers, makes the resulting hash function impractical: First, it cannot be evaluated online, and second, it produces larger hash values than H , while only inheriting the collision-resistance guarantees for the shorter output. Additionally, it relies on a trapdoor one-way permutation, which seriously compromises the use of the resulting hash function for random oracle instantiation in certain scenarios. This paper presents the first efficient modular hash function with online evaluation and short output length. The core of our approach are novel block-cipher based designs for the mixing steps of the MCM approach which rely on significantly weaker assumptions: The first mixing step is realized without any computational assumptions (besides the underlying cipher being ideal), whereas the second mixing step only requires a one-way permutation without a trapdoor, which we prove to be the minimal assumption for the construction of injective random oracles.