Merkle-damgård revisited: How to construct a hash function

Jean Sébastien Coron, Yevgeniy Dodis, Cécile Malinaud, Prashant Puniya

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

The most common way of constructing a hash function (e.g., SHA-1) is to iterate a compression function on the input message, The compression function is usually designed from scratch or made out of a block-cipher. In this paper, we introduce a new security notion for hash-functions, stronger than collision-resistance. Under this notion, the arbitrary length hash function H must behave as a random oracle when the fixed-length building block is viewed as a random oracle or an ideal block-cipher. The key property is that if a particular construction meets this definition, then any cryptosystem proven secure assuming H is a random oracle remains secure if one plugs in this construction (still assuming that the underlying fixed-length primitive is ideal). In this paper, we show that the current design principle behind hash functions such as SHA-1 and MD5 - the (strengthened) Merkle-Damgård transformation - does not satisfy this security notion. We provide several constructions that provably satisfy this notion; those new constructions introduce minimal changes to the plain Merkle-Damgård construction and are easily implementable in practice.

Original languageEnglish (US)
Title of host publicationAdvances in Cryptology - CRYPTO 2005 - 25th Annual International Cryptology Conference, Proceedings
Pages430-448
Number of pages19
Volume3621 LNCS
StatePublished - 2006
Event25th Annual International Cryptology Conference, CRYPTO 2005 - Santa Barbara, CA, United States
Duration: Aug 14 2005Aug 18 2005

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume3621 LNCS
ISSN (Print)03029743
ISSN (Electronic)16113349

Other

Other25th Annual International Cryptology Conference, CRYPTO 2005
CountryUnited States
CitySanta Barbara, CA
Period8/14/058/18/05

Fingerprint

Hash functions
Hash Function
Random Oracle
SHA-1
Compression Function
Block Cipher
Cryptosystem
Plug-in
Iterate
Building Blocks
Cryptography
Collision
Arbitrary

ASJC Scopus subject areas

  • Computer Science(all)
  • Biochemistry, Genetics and Molecular Biology(all)
  • Theoretical Computer Science

Cite this

Coron, J. S., Dodis, Y., Malinaud, C., & Puniya, P. (2006). Merkle-damgård revisited: How to construct a hash function. In Advances in Cryptology - CRYPTO 2005 - 25th Annual International Cryptology Conference, Proceedings (Vol. 3621 LNCS, pp. 430-448). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 3621 LNCS).

Merkle-damgård revisited : How to construct a hash function. / Coron, Jean Sébastien; Dodis, Yevgeniy; Malinaud, Cécile; Puniya, Prashant.

Advances in Cryptology - CRYPTO 2005 - 25th Annual International Cryptology Conference, Proceedings. Vol. 3621 LNCS 2006. p. 430-448 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 3621 LNCS).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Coron, JS, Dodis, Y, Malinaud, C & Puniya, P 2006, Merkle-damgård revisited: How to construct a hash function. in Advances in Cryptology - CRYPTO 2005 - 25th Annual International Cryptology Conference, Proceedings. vol. 3621 LNCS, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 3621 LNCS, pp. 430-448, 25th Annual International Cryptology Conference, CRYPTO 2005, Santa Barbara, CA, United States, 8/14/05.
Coron JS, Dodis Y, Malinaud C, Puniya P. Merkle-damgård revisited: How to construct a hash function. In Advances in Cryptology - CRYPTO 2005 - 25th Annual International Cryptology Conference, Proceedings. Vol. 3621 LNCS. 2006. p. 430-448. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
Coron, Jean Sébastien ; Dodis, Yevgeniy ; Malinaud, Cécile ; Puniya, Prashant. / Merkle-damgård revisited : How to construct a hash function. Advances in Cryptology - CRYPTO 2005 - 25th Annual International Cryptology Conference, Proceedings. Vol. 3621 LNCS 2006. pp. 430-448 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
@inproceedings{0ca73516a08f4c0e8f91683fb71fcf94,
title = "Merkle-damg{\aa}rd revisited: How to construct a hash function",
abstract = "The most common way of constructing a hash function (e.g., SHA-1) is to iterate a compression function on the input message, The compression function is usually designed from scratch or made out of a block-cipher. In this paper, we introduce a new security notion for hash-functions, stronger than collision-resistance. Under this notion, the arbitrary length hash function H must behave as a random oracle when the fixed-length building block is viewed as a random oracle or an ideal block-cipher. The key property is that if a particular construction meets this definition, then any cryptosystem proven secure assuming H is a random oracle remains secure if one plugs in this construction (still assuming that the underlying fixed-length primitive is ideal). In this paper, we show that the current design principle behind hash functions such as SHA-1 and MD5 - the (strengthened) Merkle-Damg{\aa}rd transformation - does not satisfy this security notion. We provide several constructions that provably satisfy this notion; those new constructions introduce minimal changes to the plain Merkle-Damg{\aa}rd construction and are easily implementable in practice.",
author = "Coron, {Jean S{\'e}bastien} and Yevgeniy Dodis and C{\'e}cile Malinaud and Prashant Puniya",
year = "2006",
language = "English (US)",
isbn = "3540281142",
volume = "3621 LNCS",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
pages = "430--448",
booktitle = "Advances in Cryptology - CRYPTO 2005 - 25th Annual International Cryptology Conference, Proceedings",

}

TY - GEN

T1 - Merkle-damgård revisited

T2 - How to construct a hash function

AU - Coron, Jean Sébastien

AU - Dodis, Yevgeniy

AU - Malinaud, Cécile

AU - Puniya, Prashant

PY - 2006

Y1 - 2006

N2 - The most common way of constructing a hash function (e.g., SHA-1) is to iterate a compression function on the input message, The compression function is usually designed from scratch or made out of a block-cipher. In this paper, we introduce a new security notion for hash-functions, stronger than collision-resistance. Under this notion, the arbitrary length hash function H must behave as a random oracle when the fixed-length building block is viewed as a random oracle or an ideal block-cipher. The key property is that if a particular construction meets this definition, then any cryptosystem proven secure assuming H is a random oracle remains secure if one plugs in this construction (still assuming that the underlying fixed-length primitive is ideal). In this paper, we show that the current design principle behind hash functions such as SHA-1 and MD5 - the (strengthened) Merkle-Damgård transformation - does not satisfy this security notion. We provide several constructions that provably satisfy this notion; those new constructions introduce minimal changes to the plain Merkle-Damgård construction and are easily implementable in practice.

AB - The most common way of constructing a hash function (e.g., SHA-1) is to iterate a compression function on the input message, The compression function is usually designed from scratch or made out of a block-cipher. In this paper, we introduce a new security notion for hash-functions, stronger than collision-resistance. Under this notion, the arbitrary length hash function H must behave as a random oracle when the fixed-length building block is viewed as a random oracle or an ideal block-cipher. The key property is that if a particular construction meets this definition, then any cryptosystem proven secure assuming H is a random oracle remains secure if one plugs in this construction (still assuming that the underlying fixed-length primitive is ideal). In this paper, we show that the current design principle behind hash functions such as SHA-1 and MD5 - the (strengthened) Merkle-Damgård transformation - does not satisfy this security notion. We provide several constructions that provably satisfy this notion; those new constructions introduce minimal changes to the plain Merkle-Damgård construction and are easily implementable in practice.

UR - http://www.scopus.com/inward/record.url?scp=33745119040&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=33745119040&partnerID=8YFLogxK

M3 - Conference contribution

AN - SCOPUS:33745119040

SN - 3540281142

SN - 9783540281146

VL - 3621 LNCS

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 430

EP - 448

BT - Advances in Cryptology - CRYPTO 2005 - 25th Annual International Cryptology Conference, Proceedings

ER -