TY - GEN
T1 - Merkle-damgård revisited
T2 - 25th Annual International Cryptology Conference, CRYPTO 2005
AU - Coron, Jean Sébastien
AU - Dodis, Yevgeniy
AU - Malinaud, Cécile
AU - Puniya, Prashant
PY - 2006
Y1 - 2006
N2 - The most common way of constructing a hash function (e.g., SHA-1) is to iterate a compression function on the input message, The compression function is usually designed from scratch or made out of a block-cipher. In this paper, we introduce a new security notion for hash-functions, stronger than collision-resistance. Under this notion, the arbitrary length hash function H must behave as a random oracle when the fixed-length building block is viewed as a random oracle or an ideal block-cipher. The key property is that if a particular construction meets this definition, then any cryptosystem proven secure assuming H is a random oracle remains secure if one plugs in this construction (still assuming that the underlying fixed-length primitive is ideal). In this paper, we show that the current design principle behind hash functions such as SHA-1 and MD5 - the (strengthened) Merkle-Damgård transformation - does not satisfy this security notion. We provide several constructions that provably satisfy this notion; those new constructions introduce minimal changes to the plain Merkle-Damgård construction and are easily implementable in practice.
AB - The most common way of constructing a hash function (e.g., SHA-1) is to iterate a compression function on the input message, The compression function is usually designed from scratch or made out of a block-cipher. In this paper, we introduce a new security notion for hash-functions, stronger than collision-resistance. Under this notion, the arbitrary length hash function H must behave as a random oracle when the fixed-length building block is viewed as a random oracle or an ideal block-cipher. The key property is that if a particular construction meets this definition, then any cryptosystem proven secure assuming H is a random oracle remains secure if one plugs in this construction (still assuming that the underlying fixed-length primitive is ideal). In this paper, we show that the current design principle behind hash functions such as SHA-1 and MD5 - the (strengthened) Merkle-Damgård transformation - does not satisfy this security notion. We provide several constructions that provably satisfy this notion; those new constructions introduce minimal changes to the plain Merkle-Damgård construction and are easily implementable in practice.
UR - http://www.scopus.com/inward/record.url?scp=33745119040&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=33745119040&partnerID=8YFLogxK
M3 - Conference contribution
AN - SCOPUS:33745119040
SN - 3540281142
SN - 9783540281146
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 430
EP - 448
BT - Advances in Cryptology - CRYPTO 2005 - 25th Annual International Cryptology Conference, Proceedings
Y2 - 14 August 2005 through 18 August 2005
ER -