Salvaging merkle-damgard for practical applications

Yevgeniy Dodis, Thomas Ristenpart, Thomas Shrimpton

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Many cryptographic applications of hash functions are analyzed in the random oracle model. Unfortunately, most concrete hash functions, including the SHA family, use the iterative (strengthened) Merkle-Damgård transform applied to a corresponding compression function. Moreover, it is well known that the resulting "structured" hash function cannot be generically used as a random oracle, even if the compression function is assumed to be ideal. This leaves a large disconnect between theory and practice: although no attack is known for many concrete applications utilizing existing (Merkle-Damgård based) hash functions, there is no security guarantee either, even by idealizing the compression function. Motivated by this question, we initiate a rigorous and modular study of developing new notions of (still idealized) hash functions which would be (a) natural and elegant; (b) sufficient for arguing security of important applications; and (c) provably met by the (strengthened) Merkle- Damgård transform, appli to a "strong enough" compression function. In particular, we develop two such notions satisfying (a)-(c): a preimage aware function ensures that the attacker cannot produce a "useful" output of the function without already "knowing" the corresponding preimage, and a public-use random oracle, which is a random oracle that reveals to attackers messages queried by honest parties.

Original languageEnglish (US)
Title of host publicationAdvances in Cryptology - EUROCRYPT 2009 - 28th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings
Pages371-388
Number of pages18
Volume5479 LNCS
DOIs
StatePublished - 2009
Event28th Annual International Conference on the Theory and Applications of Cryptographic Techniques, EUROCRYPT 2009 - Cologne, Germany
Duration: Apr 26 2009Apr 30 2009

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume5479 LNCS
ISSN (Print)03029743
ISSN (Electronic)16113349

Other

Other28th Annual International Conference on the Theory and Applications of Cryptographic Techniques, EUROCRYPT 2009
CountryGermany
CityCologne
Period4/26/094/30/09

Fingerprint

Salvaging
Hash Function
Compression Function
Hash functions
Random Oracle
Transform
Concretes
Random Oracle Model
Attack
Sufficient
Output

ASJC Scopus subject areas

  • Computer Science(all)
  • Theoretical Computer Science

Cite this

Dodis, Y., Ristenpart, T., & Shrimpton, T. (2009). Salvaging merkle-damgard for practical applications. In Advances in Cryptology - EUROCRYPT 2009 - 28th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings (Vol. 5479 LNCS, pp. 371-388). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 5479 LNCS). https://doi.org/10.1007/978-3-642-01001-9_22

Salvaging merkle-damgard for practical applications. / Dodis, Yevgeniy; Ristenpart, Thomas; Shrimpton, Thomas.

Advances in Cryptology - EUROCRYPT 2009 - 28th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings. Vol. 5479 LNCS 2009. p. 371-388 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 5479 LNCS).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Dodis, Y, Ristenpart, T & Shrimpton, T 2009, Salvaging merkle-damgard for practical applications. in Advances in Cryptology - EUROCRYPT 2009 - 28th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings. vol. 5479 LNCS, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 5479 LNCS, pp. 371-388, 28th Annual International Conference on the Theory and Applications of Cryptographic Techniques, EUROCRYPT 2009, Cologne, Germany, 4/26/09. https://doi.org/10.1007/978-3-642-01001-9_22
Dodis Y, Ristenpart T, Shrimpton T. Salvaging merkle-damgard for practical applications. In Advances in Cryptology - EUROCRYPT 2009 - 28th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings. Vol. 5479 LNCS. 2009. p. 371-388. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-642-01001-9_22
Dodis, Yevgeniy ; Ristenpart, Thomas ; Shrimpton, Thomas. / Salvaging merkle-damgard for practical applications. Advances in Cryptology - EUROCRYPT 2009 - 28th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings. Vol. 5479 LNCS 2009. pp. 371-388 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
@inproceedings{99dc084b36c34a18a5f90dfeea5b82a3,
title = "Salvaging merkle-damgard for practical applications",
abstract = "Many cryptographic applications of hash functions are analyzed in the random oracle model. Unfortunately, most concrete hash functions, including the SHA family, use the iterative (strengthened) Merkle-Damg{\aa}rd transform applied to a corresponding compression function. Moreover, it is well known that the resulting {"}structured{"} hash function cannot be generically used as a random oracle, even if the compression function is assumed to be ideal. This leaves a large disconnect between theory and practice: although no attack is known for many concrete applications utilizing existing (Merkle-Damg{\aa}rd based) hash functions, there is no security guarantee either, even by idealizing the compression function. Motivated by this question, we initiate a rigorous and modular study of developing new notions of (still idealized) hash functions which would be (a) natural and elegant; (b) sufficient for arguing security of important applications; and (c) provably met by the (strengthened) Merkle- Damg{\aa}rd transform, appli to a {"}strong enough{"} compression function. In particular, we develop two such notions satisfying (a)-(c): a preimage aware function ensures that the attacker cannot produce a {"}useful{"} output of the function without already {"}knowing{"} the corresponding preimage, and a public-use random oracle, which is a random oracle that reveals to attackers messages queried by honest parties.",
author = "Yevgeniy Dodis and Thomas Ristenpart and Thomas Shrimpton",
year = "2009",
doi = "10.1007/978-3-642-01001-9_22",
language = "English (US)",
isbn = "3642010008",
volume = "5479 LNCS",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
pages = "371--388",
booktitle = "Advances in Cryptology - EUROCRYPT 2009 - 28th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings",

}

TY - GEN

T1 - Salvaging merkle-damgard for practical applications

AU - Dodis, Yevgeniy

AU - Ristenpart, Thomas

AU - Shrimpton, Thomas

PY - 2009

Y1 - 2009

N2 - Many cryptographic applications of hash functions are analyzed in the random oracle model. Unfortunately, most concrete hash functions, including the SHA family, use the iterative (strengthened) Merkle-Damgård transform applied to a corresponding compression function. Moreover, it is well known that the resulting "structured" hash function cannot be generically used as a random oracle, even if the compression function is assumed to be ideal. This leaves a large disconnect between theory and practice: although no attack is known for many concrete applications utilizing existing (Merkle-Damgård based) hash functions, there is no security guarantee either, even by idealizing the compression function. Motivated by this question, we initiate a rigorous and modular study of developing new notions of (still idealized) hash functions which would be (a) natural and elegant; (b) sufficient for arguing security of important applications; and (c) provably met by the (strengthened) Merkle- Damgård transform, appli to a "strong enough" compression function. In particular, we develop two such notions satisfying (a)-(c): a preimage aware function ensures that the attacker cannot produce a "useful" output of the function without already "knowing" the corresponding preimage, and a public-use random oracle, which is a random oracle that reveals to attackers messages queried by honest parties.

AB - Many cryptographic applications of hash functions are analyzed in the random oracle model. Unfortunately, most concrete hash functions, including the SHA family, use the iterative (strengthened) Merkle-Damgård transform applied to a corresponding compression function. Moreover, it is well known that the resulting "structured" hash function cannot be generically used as a random oracle, even if the compression function is assumed to be ideal. This leaves a large disconnect between theory and practice: although no attack is known for many concrete applications utilizing existing (Merkle-Damgård based) hash functions, there is no security guarantee either, even by idealizing the compression function. Motivated by this question, we initiate a rigorous and modular study of developing new notions of (still idealized) hash functions which would be (a) natural and elegant; (b) sufficient for arguing security of important applications; and (c) provably met by the (strengthened) Merkle- Damgård transform, appli to a "strong enough" compression function. In particular, we develop two such notions satisfying (a)-(c): a preimage aware function ensures that the attacker cannot produce a "useful" output of the function without already "knowing" the corresponding preimage, and a public-use random oracle, which is a random oracle that reveals to attackers messages queried by honest parties.

UR - http://www.scopus.com/inward/record.url?scp=67650652323&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=67650652323&partnerID=8YFLogxK

U2 - 10.1007/978-3-642-01001-9_22

DO - 10.1007/978-3-642-01001-9_22

M3 - Conference contribution

SN - 3642010008

SN - 9783642010002

VL - 5479 LNCS

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 371

EP - 388

BT - Advances in Cryptology - EUROCRYPT 2009 - 28th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings

ER -