Getting the best out of existing hash functions; Or what if we are stuck with SHA?

Yevgeniy Dodis, Prashant Puniya

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Cascade chaining is a very efficient and popular mode of operation for building various kinds of cryptographic hash functions. In particular, it is the basis of the most heavily utilized SHA function family. Recently, many researchers pointed out various practical and theoretical deficiencies of this mode, which resulted in a renewed interest in building specialized modes of operations and new hash functions with better security. Unfortunately, it appears unlikely that a new hash function (say, based on a new mode of operation) would be widely adopted before being standardized, which is not expected to happen in the foreseeable future. Instead, it seems likely that practitioners would continue to use the cascade chaining, and the SHA family in particular, and try to work around the deficiencies mentioned above. In this paper we provide a thorough treatment of how to soundly design a secure hash function H' from a given cascade-based hash function H for various cryptographic applications, such as collision-resistance, one-wayness, pseudorandomness, etc. We require each proposed construction of H' to satisfy the following "axioms". 1 The construction consists of one or two "black-box" calls to H. 1 In particular, one is not allowed to know/use anything about the internals of H, such as modifying the initialization vector or affecting the value of the chaining variable. 1 The construction should support variable-length inputs. 1 Compared to a single evaluation of H(M), the evaluation of H'(M) should make at most a fixed (small constant) number of extra calls to the underlying compression function of H. In other words, the efficiency of H' is negligibly close to that of H. We discuss several popular modes of operation satisfying the above axioms. For each such mode and for each given desired security requirement, we discuss the weakest requirement on the compression function of H which would make this mode secure. We also give the implications of these results for using existing hash functions SHA-x, where x∈ ∈{1,224,256,384,512}.

Original languageEnglish (US)
Title of host publicationApplied Cryptography and Network Security - 6th International Conference, ACNS 2008, Proceedings
Pages156-173
Number of pages18
Volume5037 LNCS
DOIs
StatePublished - 2008
Event6th International Conference on Applied Cryptography and Network Security, ACNS 2008 - New York, NY, United States
Duration: Jun 3 2008Jun 6 2008

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume5037 LNCS
ISSN (Print)03029743
ISSN (Electronic)16113349

Other

Other6th International Conference on Applied Cryptography and Network Security, ACNS 2008
CountryUnited States
CityNew York, NY
Period6/3/086/6/08

Fingerprint

Hash functions
Hash Function
Modes of Operation
Cascade
Compression Function
Research Personnel
Axioms
Pseudorandomness
Requirements
Evaluation
Black Box
Initialization
Continue
Collision
Likely
Internal

ASJC Scopus subject areas

  • Biochemistry, Genetics and Molecular Biology(all)
  • Computer Science(all)
  • Theoretical Computer Science

Cite this

Dodis, Y., & Puniya, P. (2008). Getting the best out of existing hash functions; Or what if we are stuck with SHA? In Applied Cryptography and Network Security - 6th International Conference, ACNS 2008, Proceedings (Vol. 5037 LNCS, pp. 156-173). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 5037 LNCS). https://doi.org/10.1007/978-3-540-68914-0_10

Getting the best out of existing hash functions; Or what if we are stuck with SHA? / Dodis, Yevgeniy; Puniya, Prashant.

Applied Cryptography and Network Security - 6th International Conference, ACNS 2008, Proceedings. Vol. 5037 LNCS 2008. p. 156-173 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 5037 LNCS).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Dodis, Y & Puniya, P 2008, Getting the best out of existing hash functions; Or what if we are stuck with SHA? in Applied Cryptography and Network Security - 6th International Conference, ACNS 2008, Proceedings. vol. 5037 LNCS, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 5037 LNCS, pp. 156-173, 6th International Conference on Applied Cryptography and Network Security, ACNS 2008, New York, NY, United States, 6/3/08. https://doi.org/10.1007/978-3-540-68914-0_10
Dodis Y, Puniya P. Getting the best out of existing hash functions; Or what if we are stuck with SHA? In Applied Cryptography and Network Security - 6th International Conference, ACNS 2008, Proceedings. Vol. 5037 LNCS. 2008. p. 156-173. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-540-68914-0_10
Dodis, Yevgeniy ; Puniya, Prashant. / Getting the best out of existing hash functions; Or what if we are stuck with SHA?. Applied Cryptography and Network Security - 6th International Conference, ACNS 2008, Proceedings. Vol. 5037 LNCS 2008. pp. 156-173 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
@inproceedings{b6a86922b5e64e83adf7bb28ab8eb904,
title = "Getting the best out of existing hash functions; Or what if we are stuck with SHA?",
abstract = "Cascade chaining is a very efficient and popular mode of operation for building various kinds of cryptographic hash functions. In particular, it is the basis of the most heavily utilized SHA function family. Recently, many researchers pointed out various practical and theoretical deficiencies of this mode, which resulted in a renewed interest in building specialized modes of operations and new hash functions with better security. Unfortunately, it appears unlikely that a new hash function (say, based on a new mode of operation) would be widely adopted before being standardized, which is not expected to happen in the foreseeable future. Instead, it seems likely that practitioners would continue to use the cascade chaining, and the SHA family in particular, and try to work around the deficiencies mentioned above. In this paper we provide a thorough treatment of how to soundly design a secure hash function H' from a given cascade-based hash function H for various cryptographic applications, such as collision-resistance, one-wayness, pseudorandomness, etc. We require each proposed construction of H' to satisfy the following {"}axioms{"}. 1 The construction consists of one or two {"}black-box{"} calls to H. 1 In particular, one is not allowed to know/use anything about the internals of H, such as modifying the initialization vector or affecting the value of the chaining variable. 1 The construction should support variable-length inputs. 1 Compared to a single evaluation of H(M), the evaluation of H'(M) should make at most a fixed (small constant) number of extra calls to the underlying compression function of H. In other words, the efficiency of H' is negligibly close to that of H. We discuss several popular modes of operation satisfying the above axioms. For each such mode and for each given desired security requirement, we discuss the weakest requirement on the compression function of H which would make this mode secure. We also give the implications of these results for using existing hash functions SHA-x, where x∈ ∈{1,224,256,384,512}.",
author = "Yevgeniy Dodis and Prashant Puniya",
year = "2008",
doi = "10.1007/978-3-540-68914-0_10",
language = "English (US)",
isbn = "3540689133",
volume = "5037 LNCS",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
pages = "156--173",
booktitle = "Applied Cryptography and Network Security - 6th International Conference, ACNS 2008, Proceedings",

}

TY - GEN

T1 - Getting the best out of existing hash functions; Or what if we are stuck with SHA?

AU - Dodis, Yevgeniy

AU - Puniya, Prashant

PY - 2008

Y1 - 2008

N2 - Cascade chaining is a very efficient and popular mode of operation for building various kinds of cryptographic hash functions. In particular, it is the basis of the most heavily utilized SHA function family. Recently, many researchers pointed out various practical and theoretical deficiencies of this mode, which resulted in a renewed interest in building specialized modes of operations and new hash functions with better security. Unfortunately, it appears unlikely that a new hash function (say, based on a new mode of operation) would be widely adopted before being standardized, which is not expected to happen in the foreseeable future. Instead, it seems likely that practitioners would continue to use the cascade chaining, and the SHA family in particular, and try to work around the deficiencies mentioned above. In this paper we provide a thorough treatment of how to soundly design a secure hash function H' from a given cascade-based hash function H for various cryptographic applications, such as collision-resistance, one-wayness, pseudorandomness, etc. We require each proposed construction of H' to satisfy the following "axioms". 1 The construction consists of one or two "black-box" calls to H. 1 In particular, one is not allowed to know/use anything about the internals of H, such as modifying the initialization vector or affecting the value of the chaining variable. 1 The construction should support variable-length inputs. 1 Compared to a single evaluation of H(M), the evaluation of H'(M) should make at most a fixed (small constant) number of extra calls to the underlying compression function of H. In other words, the efficiency of H' is negligibly close to that of H. We discuss several popular modes of operation satisfying the above axioms. For each such mode and for each given desired security requirement, we discuss the weakest requirement on the compression function of H which would make this mode secure. We also give the implications of these results for using existing hash functions SHA-x, where x∈ ∈{1,224,256,384,512}.

AB - Cascade chaining is a very efficient and popular mode of operation for building various kinds of cryptographic hash functions. In particular, it is the basis of the most heavily utilized SHA function family. Recently, many researchers pointed out various practical and theoretical deficiencies of this mode, which resulted in a renewed interest in building specialized modes of operations and new hash functions with better security. Unfortunately, it appears unlikely that a new hash function (say, based on a new mode of operation) would be widely adopted before being standardized, which is not expected to happen in the foreseeable future. Instead, it seems likely that practitioners would continue to use the cascade chaining, and the SHA family in particular, and try to work around the deficiencies mentioned above. In this paper we provide a thorough treatment of how to soundly design a secure hash function H' from a given cascade-based hash function H for various cryptographic applications, such as collision-resistance, one-wayness, pseudorandomness, etc. We require each proposed construction of H' to satisfy the following "axioms". 1 The construction consists of one or two "black-box" calls to H. 1 In particular, one is not allowed to know/use anything about the internals of H, such as modifying the initialization vector or affecting the value of the chaining variable. 1 The construction should support variable-length inputs. 1 Compared to a single evaluation of H(M), the evaluation of H'(M) should make at most a fixed (small constant) number of extra calls to the underlying compression function of H. In other words, the efficiency of H' is negligibly close to that of H. We discuss several popular modes of operation satisfying the above axioms. For each such mode and for each given desired security requirement, we discuss the weakest requirement on the compression function of H which would make this mode secure. We also give the implications of these results for using existing hash functions SHA-x, where x∈ ∈{1,224,256,384,512}.

UR - http://www.scopus.com/inward/record.url?scp=45749143634&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=45749143634&partnerID=8YFLogxK

U2 - 10.1007/978-3-540-68914-0_10

DO - 10.1007/978-3-540-68914-0_10

M3 - Conference contribution

SN - 3540689133

SN - 9783540689133

VL - 5037 LNCS

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 156

EP - 173

BT - Applied Cryptography and Network Security - 6th International Conference, ACNS 2008, Proceedings

ER -