### Abstract

The most common way of constructing a hash function (e.g., SHA-1) is to iterate a compression function on the input message, The compression function is usually designed from scratch or made out of a block-cipher. In this paper, we introduce a new security notion for hash-functions, stronger than collision-resistance. Under this notion, the arbitrary length hash function H must behave as a random oracle when the fixed-length building block is viewed as a random oracle or an ideal block-cipher. The key property is that if a particular construction meets this definition, then any cryptosystem proven secure assuming H is a random oracle remains secure if one plugs in this construction (still assuming that the underlying fixed-length primitive is ideal). In this paper, we show that the current design principle behind hash functions such as SHA-1 and MD5 - the (strengthened) Merkle-Damgård transformation - does not satisfy this security notion. We provide several constructions that provably satisfy this notion; those new constructions introduce minimal changes to the plain Merkle-Damgård construction and are easily implementable in practice.

Original language | English (US) |
---|---|

Title of host publication | Advances in Cryptology - CRYPTO 2005 - 25th Annual International Cryptology Conference, Proceedings |

Pages | 430-448 |

Number of pages | 19 |

Volume | 3621 LNCS |

State | Published - 2006 |

Event | 25th Annual International Cryptology Conference, CRYPTO 2005 - Santa Barbara, CA, United States Duration: Aug 14 2005 → Aug 18 2005 |

### Publication series

Name | Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) |
---|---|

Volume | 3621 LNCS |

ISSN (Print) | 03029743 |

ISSN (Electronic) | 16113349 |

### Other

Other | 25th Annual International Cryptology Conference, CRYPTO 2005 |
---|---|

Country | United States |

City | Santa Barbara, CA |

Period | 8/14/05 → 8/18/05 |

### Fingerprint

### ASJC Scopus subject areas

- Computer Science(all)
- Biochemistry, Genetics and Molecular Biology(all)
- Theoretical Computer Science

### Cite this

*Advances in Cryptology - CRYPTO 2005 - 25th Annual International Cryptology Conference, Proceedings*(Vol. 3621 LNCS, pp. 430-448). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 3621 LNCS).

**Merkle-damgård revisited : How to construct a hash function.** / Coron, Jean Sébastien; Dodis, Yevgeniy; Malinaud, Cécile; Puniya, Prashant.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

*Advances in Cryptology - CRYPTO 2005 - 25th Annual International Cryptology Conference, Proceedings.*vol. 3621 LNCS, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 3621 LNCS, pp. 430-448, 25th Annual International Cryptology Conference, CRYPTO 2005, Santa Barbara, CA, United States, 8/14/05.

}

TY - GEN

T1 - Merkle-damgård revisited

T2 - How to construct a hash function

AU - Coron, Jean Sébastien

AU - Dodis, Yevgeniy

AU - Malinaud, Cécile

AU - Puniya, Prashant

PY - 2006

Y1 - 2006

N2 - The most common way of constructing a hash function (e.g., SHA-1) is to iterate a compression function on the input message, The compression function is usually designed from scratch or made out of a block-cipher. In this paper, we introduce a new security notion for hash-functions, stronger than collision-resistance. Under this notion, the arbitrary length hash function H must behave as a random oracle when the fixed-length building block is viewed as a random oracle or an ideal block-cipher. The key property is that if a particular construction meets this definition, then any cryptosystem proven secure assuming H is a random oracle remains secure if one plugs in this construction (still assuming that the underlying fixed-length primitive is ideal). In this paper, we show that the current design principle behind hash functions such as SHA-1 and MD5 - the (strengthened) Merkle-Damgård transformation - does not satisfy this security notion. We provide several constructions that provably satisfy this notion; those new constructions introduce minimal changes to the plain Merkle-Damgård construction and are easily implementable in practice.

AB - The most common way of constructing a hash function (e.g., SHA-1) is to iterate a compression function on the input message, The compression function is usually designed from scratch or made out of a block-cipher. In this paper, we introduce a new security notion for hash-functions, stronger than collision-resistance. Under this notion, the arbitrary length hash function H must behave as a random oracle when the fixed-length building block is viewed as a random oracle or an ideal block-cipher. The key property is that if a particular construction meets this definition, then any cryptosystem proven secure assuming H is a random oracle remains secure if one plugs in this construction (still assuming that the underlying fixed-length primitive is ideal). In this paper, we show that the current design principle behind hash functions such as SHA-1 and MD5 - the (strengthened) Merkle-Damgård transformation - does not satisfy this security notion. We provide several constructions that provably satisfy this notion; those new constructions introduce minimal changes to the plain Merkle-Damgård construction and are easily implementable in practice.

UR - http://www.scopus.com/inward/record.url?scp=33745119040&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=33745119040&partnerID=8YFLogxK

M3 - Conference contribution

AN - SCOPUS:33745119040

SN - 3540281142

SN - 9783540281146

VL - 3621 LNCS

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 430

EP - 448

BT - Advances in Cryptology - CRYPTO 2005 - 25th Annual International Cryptology Conference, Proceedings

ER -