### Abstract

Many cryptographic applications of hash functions are analyzed in the random oracle model. Unfortunately, most concrete hash functions, including the SHA family, use the iterative (strengthened) Merkle-Damgård transform applied to a corresponding compression function. Moreover, it is well known that the resulting "structured" hash function cannot be generically used as a random oracle, even if the compression function is assumed to be ideal. This leaves a large disconnect between theory and practice: although no attack is known for many concrete applications utilizing existing (Merkle-Damgård based) hash functions, there is no security guarantee either, even by idealizing the compression function. Motivated by this question, we initiate a rigorous and modular study of developing new notions of (still idealized) hash functions which would be (a) natural and elegant; (b) sufficient for arguing security of important applications; and (c) provably met by the (strengthened) Merkle- Damgård transform, appli to a "strong enough" compression function. In particular, we develop two such notions satisfying (a)-(c): a preimage aware function ensures that the attacker cannot produce a "useful" output of the function without already "knowing" the corresponding preimage, and a public-use random oracle, which is a random oracle that reveals to attackers messages queried by honest parties.

Original language | English (US) |
---|---|

Title of host publication | Advances in Cryptology - EUROCRYPT 2009 - 28th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings |

Pages | 371-388 |

Number of pages | 18 |

Volume | 5479 LNCS |

DOIs | |

State | Published - 2009 |

Event | 28th Annual International Conference on the Theory and Applications of Cryptographic Techniques, EUROCRYPT 2009 - Cologne, Germany Duration: Apr 26 2009 → Apr 30 2009 |

### Publication series

Name | Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) |
---|---|

Volume | 5479 LNCS |

ISSN (Print) | 03029743 |

ISSN (Electronic) | 16113349 |

### Other

Other | 28th Annual International Conference on the Theory and Applications of Cryptographic Techniques, EUROCRYPT 2009 |
---|---|

Country | Germany |

City | Cologne |

Period | 4/26/09 → 4/30/09 |

### Fingerprint

### ASJC Scopus subject areas

- Computer Science(all)
- Theoretical Computer Science

### Cite this

*Advances in Cryptology - EUROCRYPT 2009 - 28th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings*(Vol. 5479 LNCS, pp. 371-388). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 5479 LNCS). https://doi.org/10.1007/978-3-642-01001-9_22

**Salvaging merkle-damgard for practical applications.** / Dodis, Yevgeniy; Ristenpart, Thomas; Shrimpton, Thomas.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

*Advances in Cryptology - EUROCRYPT 2009 - 28th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings.*vol. 5479 LNCS, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 5479 LNCS, pp. 371-388, 28th Annual International Conference on the Theory and Applications of Cryptographic Techniques, EUROCRYPT 2009, Cologne, Germany, 4/26/09. https://doi.org/10.1007/978-3-642-01001-9_22

}

TY - GEN

T1 - Salvaging merkle-damgard for practical applications

AU - Dodis, Yevgeniy

AU - Ristenpart, Thomas

AU - Shrimpton, Thomas

PY - 2009

Y1 - 2009

N2 - Many cryptographic applications of hash functions are analyzed in the random oracle model. Unfortunately, most concrete hash functions, including the SHA family, use the iterative (strengthened) Merkle-Damgård transform applied to a corresponding compression function. Moreover, it is well known that the resulting "structured" hash function cannot be generically used as a random oracle, even if the compression function is assumed to be ideal. This leaves a large disconnect between theory and practice: although no attack is known for many concrete applications utilizing existing (Merkle-Damgård based) hash functions, there is no security guarantee either, even by idealizing the compression function. Motivated by this question, we initiate a rigorous and modular study of developing new notions of (still idealized) hash functions which would be (a) natural and elegant; (b) sufficient for arguing security of important applications; and (c) provably met by the (strengthened) Merkle- Damgård transform, appli to a "strong enough" compression function. In particular, we develop two such notions satisfying (a)-(c): a preimage aware function ensures that the attacker cannot produce a "useful" output of the function without already "knowing" the corresponding preimage, and a public-use random oracle, which is a random oracle that reveals to attackers messages queried by honest parties.

AB - Many cryptographic applications of hash functions are analyzed in the random oracle model. Unfortunately, most concrete hash functions, including the SHA family, use the iterative (strengthened) Merkle-Damgård transform applied to a corresponding compression function. Moreover, it is well known that the resulting "structured" hash function cannot be generically used as a random oracle, even if the compression function is assumed to be ideal. This leaves a large disconnect between theory and practice: although no attack is known for many concrete applications utilizing existing (Merkle-Damgård based) hash functions, there is no security guarantee either, even by idealizing the compression function. Motivated by this question, we initiate a rigorous and modular study of developing new notions of (still idealized) hash functions which would be (a) natural and elegant; (b) sufficient for arguing security of important applications; and (c) provably met by the (strengthened) Merkle- Damgård transform, appli to a "strong enough" compression function. In particular, we develop two such notions satisfying (a)-(c): a preimage aware function ensures that the attacker cannot produce a "useful" output of the function without already "knowing" the corresponding preimage, and a public-use random oracle, which is a random oracle that reveals to attackers messages queried by honest parties.

UR - http://www.scopus.com/inward/record.url?scp=67650652323&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=67650652323&partnerID=8YFLogxK

U2 - 10.1007/978-3-642-01001-9_22

DO - 10.1007/978-3-642-01001-9_22

M3 - Conference contribution

SN - 3642010008

SN - 9783642010002

VL - 5479 LNCS

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 371

EP - 388

BT - Advances in Cryptology - EUROCRYPT 2009 - 28th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings

ER -