Universal one-way hash functions and their cryptographic applications
STOC '89 Proceedings of the twenty-first annual ACM symposium on Theory of computing
Random oracles are practical: a paradigm for designing efficient protocols
CCS '93 Proceedings of the 1st ACM conference on Computer and communications security
A Design Principle for Hash Functions
CRYPTO '89 Proceedings of the 9th Annual International Cryptology Conference on Advances in Cryptology
One Way Hash Functions and DES
CRYPTO '89 Proceedings of the 9th Annual International Cryptology Conference on Advances in Cryptology
Collision-Resistant Hashing: Towards Making UOWHFs Practical
CRYPTO '97 Proceedings of the 17th Annual International Cryptology Conference on Advances in Cryptology
Pseudorandom functions revisited: the cascade construction and its concrete security
FOCS '96 Proceedings of the 37th Annual Symposium on Foundations of Computer Science
A composition theorem for universal one-way hash functions
EUROCRYPT'00 Proceedings of the 19th international conference on Theory and application of cryptographic techniques
Multi-property-preserving hash domain extension and the EMD transform
ASIACRYPT'06 Proceedings of the 12th international conference on Theory and Application of Cryptology and Information Security
Single-key AIL-MACs from any FIL-MAC
ICALP'05 Proceedings of the 32nd international conference on Automata, Languages and Programming
Efficient collision search attacks on SHA-0
CRYPTO'05 Proceedings of the 25th annual international conference on Advances in Cryptology
Finding collisions in the full SHA-1
CRYPTO'05 Proceedings of the 25th annual international conference on Advances in Cryptology
Merkle-Damgård revisited: how to construct a hash function
CRYPTO'05 Proceedings of the 25th annual international conference on Advances in Cryptology
Strengthening digital signatures via randomized hashing
CRYPTO'06 Proceedings of the 26th annual international conference on Advances in Cryptology
New proofs for NMAC and HMAC: security without collision-resistance
CRYPTO'06 Proceedings of the 26th annual international conference on Advances in Cryptology
Herding hash functions and the nostradamus attack
EUROCRYPT'06 Proceedings of the 24th annual international conference on The Theory and Applications of Cryptographic Techniques
Hash functions in the dedicated-key setting: design choices and MPP transforms
ICALP'07 Proceedings of the 34th international conference on Automata, Languages and Programming
How to Fill Up Merkle-Damgård Hash Functions
ASIACRYPT '08 Proceedings of the 14th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Salvaging Merkle-Damgård for Practical Applications
EUROCRYPT '09 Proceedings of the 28th Annual International Conference on Advances in Cryptology: the Theory and Applications of Cryptographic Techniques
Analysis of Property-Preservation Capabilities of the ROX and ESh Hash Domain Extenders
ACISP '09 Proceedings of the 14th Australasian Conference on Information Security and Privacy
Privacy-preserving group data access via stateless oblivious RAM simulation
Proceedings of the twenty-third annual ACM-SIAM symposium on Discrete Algorithms
Hi-index | 0.00 |
Cascade chaining is a very efficient and popular mode of operation for building various kinds of cryptographic hash functions. In particular, it is the basis of the most heavily utilized SHA function family. Recently, many researchers pointed out various practical and theoretical deficiencies of this mode, which resulted in a renewed interest in building specialized modes of operations and new hash functions with better security. Unfortunately, it appears unlikely that a new hash function (say, based on a new mode of operation) would be widely adopted before being standardized, which is not expected to happen in the foreseeable future. Instead, it seems likely that practitioners would continue to use the cascade chaining, and the SHA family in particular, and try to work around the deficiencies mentioned above. In this paper we provide a thorough treatment of how to soundly design a secure hash function H′ from a given cascade-based hash function H for various cryptographic applications, such as collision-resistance, one-wayness, pseudorandomness, etc. We require each proposed construction of HH′ to satisfy the following "axioms". 1. The construction consists of one or two "black-box" calls to H. 2. In particular, one is not allowed to know/use anything about the internals of H, such as modifying the initialization vector or affecting the value of the chaining variable. 3. The construction should support variable-length inputs. 4. Compared to a single evaluation of H(M), the evaluation of H(M) should make at most a fixed (small constant) number of extra calls to the underlying compression function of H. In other words, the efficiency of H′ is negligibly close to that of H. We discuss several popular modes of operation satisfying the above axioms. For each such mode and for each given desired security requirement, we discuss the weakest requirement on the compression function of H which would make this mode secure. We also give the implications of these results for using existing hash functions SHA-x, where x ∈ {1, 224, 256, 384, 512}.