Springer Nature is making SARS-CoV-2 and COVID-19 research free. View research | View latest news | Sign up for updates

Security Analysis of Randomize-Hash-then-Sign Digital Signatures

  • 564 Accesses

  • 5 Citations

Abstract

At CRYPTO 2006, Halevi and Krawczyk proposed two randomized hash function modes and analyzed the security of digital signature algorithms based on these constructions. They showed that the security of signature schemes based on the two randomized hash function modes relies on properties similar to the second preimage resistance rather than on the collision resistance property of the hash functions. One of the randomized hash function modes was named the RMX hash function mode and was recommended for practical purposes. The National Institute of Standards and Technology (NIST), USA standardized a variant of the RMX hash function mode and published this standard in the Special Publication (SP) 800-106.

In this article, we first discuss a generic online birthday existential forgery attack of Dang and Perlner on the RMX-hash-then-sign schemes. We show that a variant of this attack can be applied to forge the other randomize-hash-then-sign schemes. We point out practical limitations of the generic forgery attack on the RMX-hash-then-sign schemes. We then show that these limitations can be overcome for the RMX-hash-then-sign schemes if it is easy to find fixed points for the underlying compression functions, such as for the Davies-Meyer construction used in the popular hash functions such as MD5 designed by Rivest and the SHA family of hash functions designed by the National Security Agency (NSA), USA and published by NIST in the Federal Information Processing Standards (FIPS). We show an online birthday forgery attack on this class of signatures by using a variant of Dean’s method of finding fixed point expandable messages for hash functions based on the Davies-Meyer construction. This forgery attack is also applicable to signature schemes based on the variant of RMX standardized by NIST in SP 800-106. We discuss some important applications of our attacks and discuss their applicability on signature schemes based on hash functions with ‘built-in’ randomization. Finally, we compare our attacks on randomize-hash-then-sign schemes with the generic forgery attacks on the standard hash-based message authentication code (HMAC).

This is a preview of subscription content, log in to check access.

References

  1. [1]

    S.G. Akl, On the security of compressed encodings, in Advances in Cryptology: Proceedings of CRYPTO 83, ed. by D. Chaum (Plenum Press, New York, 1983), pp. 209–230

  2. [2]

    R. Anderson, E. Biham, Tiger: a fast new hash function, in Fast Software Encryption, ed. by D. Gollman. Lecture Notes in Computer Science, vol. 1039 (Springer, Berlin, 1996), pp. 89–97

  3. [3]

    E. Andreeva, C. Bouillaguet, P.-A. Fouque, J.J. Hoch, J. Kelsey, A. Shamir, S. Zimmer, Second preimage attacks on dithered hash functions, in Advances in Cryptology—EUROCRYPT 2008, ed. by N.P. Smart. Lecture Notes in Computer Science, vol. 4965 (Springer, Berlin, 2008), pp. 270–288

  4. [4]

    ANSI. ANSI X9.62:2005: Public key cryptography for the financial services industry, the elliptic curve digital signature algorithm (ECDSA) (2005)

  5. [5]

    J.-P. Aumasson, L. Henzen, W. Meier, R.C.-W. Phan, SHA-3 proposal BLAKE. A finalist of NIST’s SHA-3 cryptographic hash function competition, 2010. Available at http://131002.net/blake/ (Accessed on 16/08/2011)

  6. [6]

    J.-P. Aumasson, W. Meier, R.C.-W. Phan, The hash function family LAKE, in Fast Software Encryption, ed. by K. Nyberg. Lecture Notes in Computer Science, vol. 5086 (Springer, Berlin, 2008), pp. 36–53

  7. [7]

    M. Bellare, New proofs for NMAC and HMAC: security without collision-resistance, in Advances in Cryptology-CRYPTO 2006, ed. by C. Dwork. Lecture Notes in Computer Science, vol. 4117 (Springer, Berlin, 2006), pp. 602–619

  8. [8]

    M. Bellare, R. Canetti, H. Krawczyk, Keying hash functions for message authentication, in Advances in Cryptology—CRYPTO’96, ed. by N. Koblitz. Lecture Notes in Computer Science, vol. 1109 (Springer, Berlin, 1996), pp. 1–15

  9. [9]

    M. Bellare, P. Rogaway, Collision-resistant hashing: towards making UOWHFs practical, in Advances in Cryptology—CRYPTO’97, ed. by B.S. Kaliski Jr. Lecture Notes in Computer Science, vol. 1294 (Springer, Berlin, 1997), pp. 470–484

  10. [10]

    S. Bellovin, E. Rescorla, Deploying a new hash algorithm, in Proceedings of the Symposium on Network and Distributed Systems Security (NDSS) (Internet Society, Reston, 2006). Available at http://www.isoc.org/isoc/conferences/ndss/06/proceedings/ (Accessed on 16/08/2011)

  11. [11]

    R. Benadjila, O. Billet, H. Gilbert, G. Macario-Rat, T. Peyrin, M. Robshaw, Y. Seurin, SHA-3 proposal:ECHO. Second round of NIST’s SHA-3 competition, 2009. Version 1.5 is available at http://crypto.rd.francetelecom.com/echo/ (Accessed on 16/08/2011)

  12. [12]

    E. Biham, R. Chen, A. Joux, P. Carribault, C. Lemuet, W. Jalby, Collisions of SHA-0 and reduced SHA-1, in Advances in Cryptology—EUROCRYPT 2005, ed. by R. Cramer. Lecture Notes in Computer Science, vol. 3494 (Springer, Berlin, 2005), pp. 36–57

  13. [13]

    E. Biham, O. Dunkelman, A framework for iterative hash functions—HAIFA. Cryptology ePrint archive, Report 2007/278, 2007. Available at http://eprint.iacr.org/2007/278 (Accessed on 16/08/2011)

  14. [14]

    E. Biham, O. Dunkelman, The SHAvite-3 hash function. A second round candidate of NIST’s SHA-3 cryptographic hash function competition, 2009. Available at http://www.cs.technion.ac.il/~orrd/SHAvite-3/ (Accessed on 6/03/2011)

  15. [15]

    A. Biryukov, P. Gauravaram, J. Guo, D. Khovratovich, S. Ling, K. Matusiewicz, I. Nikolic, J. Pieprzyk, H. Wang, Cryptanalysis of the LAKE hash family, in Fast Software Encryption, ed. by O. Dunkelman. Lecture Notes in Computer Science, vol. 5665 (Springer, Berlin, 2009), pp. 156–179

  16. [16]

    J. Black, M. Cochran, MAC reforgeability, in Fast Software Encryption, ed. by O. Dunkelman. Lecture Notes in Computer Science, vol. 5665 (Springer, Berlin, 2009), pp. 345–362

  17. [17]

    J. Black, P. Rogaway, T. Shrimpton, Black-box analysis of the Block-Cipher-based hash-function constructions from PGV, in Advances in Cryptology—CRYPTO 2002, ed. by M. Yung. Lecture Notes in Computer Science, vol. 2442 (Springer, Berlin, 2002), pp. 320–335

  18. [18]

    F. Chabaud, A. Joux, Differential collisions in SHA-0, in Advances in Cryptology—CRYPTO ’98, ed. by H. Krawczyk. Lecture Notes in Computer Science, vol. 1462 (Springer, Berlin, 1998), pp. 56–71

  19. [19]

    S. Contini, Y.L. Yin, Forgery and partial key-recovery attacks on HMAC and NMAC using hash collisions, in ASIACRYPT 2006, ed. by X. Lai, K. Chen. Lecture Notes in Computer Science, vol. 4284 (Springer, Berlin, 2006), pp. 37–53

  20. [20]

    I. Damgård, A design principle for hash functions, in Advances in Cryptology—CRYPTO’89, ed. by G. Brassard. Lecture Notes in Computer Science, vol. 435 (Springer, Berlin, 1989), pp. 416–427

  21. [21]

    Q. Dang, Randomized hashing for digital signatures. NIST’s special publications (800 Series). Available at http://csrc.nist.gov/publications/PubsSPs.html (Accessed on 16/08/2011), 2009

  22. [22]

    Q. Dang, R. Perlner, Personal communication, October 2008

  23. [23]

    D. Davies, W. Price, Security for Computer Networks (Wiley, New York, 1984)

  24. [24]

    D.W. Davies, W.L. Price, The application of digital signatures based on public-key cryptosystems, in Proc. Fifth Intl. Computer Communications Conference (1980), pp. 525–530

  25. [25]

    R.D. Dean, Formal aspects of mobile code security. Ph.D. thesis, Princeton University, USA, 1999

  26. [26]

    B. den Boer, A. Bosselaers, An attack on the last two rounds of MD4, in Advances in Cryptology—CRYPTO ’91, ed. by J. Feigenbaum. Lecture Notes in Computer Science, vol. 576 (Springer, Berlin, 1991), pp. 194–203

  27. [27]

    B. den Boer, A. Bosselaers, Collisions for the compression function of MD5, in Advances in Cryptology—EUROCRYPT ’93, ed. by T. Helleseth. Lecture Notes in Computer Science, vol. 765 (Springer, Berlin, 1994), pp. 293–304

  28. [28]

    H. Dobbertin, Cryptanalysis of MD4, in Fast Software Encryption, ed. by D. Grollman. Lecture Notes in Computer Science, vol. 1039 (Springer, Berlin, 1996), pp. 53–69

  29. [29]

    H. Dobbertin, Cryptanalysis of MD5 compress. Presented at the Rump Session of EUROCRYPT ’96, 1996

  30. [30]

    H. Dobbertin, The status of MD5 after a recent attack. CryptoBytes 2(2), 1–6 (1996)

  31. [31]

    H. Dobbertin, Cryptanalysis of MD4. J. Cryptol. 11(4), 253–271 (1998)

  32. [32]

    N. Ferguson, S. Lucks, Attacks on AURORA-512 and the double-mix Merkle–Damgaard transform. Cryptology ePrint archive, Report 2009/113, 2009. Available at http://eprint.iacr.org/2009/113 (Accessed on 16/08/2011)

  33. [33]

    P.-A. Fouque, G. Leurent, P.Q. Nguyen, Full key-recovery attacks on HMAC/NMAC-MD4 and NMAC-MD5, in Advances in Cryptology—CRYPTO 2007, ed. by A. Menezes. Lecture Notes in Computer Science, vol. 4622 (Springer, Berlin, 2007), pp. 13–30

  34. [34]

    P. Gauravaram, J. Kelsey, Linear-XOR and additive checksums don’t protect Damgård–Merkle hashes from generic attacks, in Topics in Cryptology—CT-RSA 2008, ed. by T. Malkin. Lecture Notes in Computer Science, vol. 4964 (Springer, Berlin, 2008), pp. 36–51

  35. [35]

    P. Gauravaram, J. Kelsey, L.R. Knudsen, S.S. Thomsen, On hash functions using checksums. Int. J. Inf. Secur. 9(2), 137–151 (2010)

  36. [36]

    P. Gauravaram, L.R. Knudsen, K. Matusiewicz, F. Mendel, C. Rechberger, M. Schläffer, S.S. Thomsen, Grøstl—a SHA-3 candidate. A finalist of NIST’s SHA-3 cryptographic hash function competition, 2010. Available at http://www.groestl.info/ (Accessed on 16/08/2011)

  37. [37]

    P. Gauravaram, G. Leurent, F. Mendel, M. Naya-Plasencia, T. Peyrin, C. Rechberger, M. Schläffer, Cryptanalysis of the 10-round hash and full compression function of SHAvite-3-512, in Progress in Cryptology—AFRICACRYPT 2010, ed. by D.J. Bernstein, T. Lange. Lecture Notes in Computer Science, vol. 6055 (Springer, Berlin, 2010), pp. 419–436

  38. [38]

    P. Gauravaram, A. McCullagh, E. Dawson, Collision attacks on MD5 and SHA-1: is this the “Sword of Damocles” for electronic commerce? In AusCERT Conference Refereed R & D Stream, ed. by A. Clark, M. McPherson, G. Mohay (2006), pp. 1–13

  39. [39]

    S. Goldwasser, S. Micali, R.L. Rivest, A digital signature scheme secure against adaptive Chosen—message attacks. SIAM J. Comput. 17(2), 281–308 (1988)

  40. [40]

    S. Halevi, H. Krawczyk, Strengthening digital signatures via randomized hashing, in Advances in Cryptology—CRYPTO 2006, ed. by C. Dwork. Lecture Notes in Computer Science, vol. 4117 (Springer, Berlin, 2006), pp. 41–59. Full version of this paper is available at http://www.ee.technion.ac.il/~hugo/rhash/rhash.pdf (Accessed on 16/08/2011)

  41. [41]

    S. Halevi, H. Krawczyk, The RMX transform and digital signatures, 2006. Available at http://www.ee.technion.ac.il/~hugo/rhash/rhash-nist.pdf (Accessed on 16/08/2011)

  42. [42]

    S. Halevi, H. Krawczyk, Update on randomized hashing. Technical report, 2006. Slides are available at http://csrc.nist.gov/groups/ST/hash/second_workshop.html (Accessed on 16/08/2011)

  43. [43]

    S. Halevi, W. Shao, H. Krawczyk, D. Boneh, M. McIntosh, Implementing the Halevi–Krawczyk randomized hashing scheme, 2007. Available at http://www.ee.technion.ac.il/~hugo/rhash/implementation.pdf (Accessed on 19/11/2010)

  44. [44]

    W. Hohl, X. Lai, T. Meier, C. Waldvogel, Security of iterated hash functions based on block ciphers, in Advances in Cryptology—CRYPTO ’93, ed. by D.R. Stinson. Lecture Notes in Computer Science, vol. 773 (Springer, Berlin, 1993), pp. 379–390

  45. [45]

    J. Jonsson, B. Kaliski, Public-key cryptography standards (PKCS) #1:RSA Cryptography specification Version 2.1. Network working group request for comments 3447, Internet Engineering Task Force (IETF), 2003. This document is available at http://www.ietf.org/rfc/rfc3447.txt (Accessed on 16/08/2011)

  46. [46]

    J. Kelsey, B. Schneier, Second preimages on n-bit hash functions for much less than 2n work, in Advances in Cryptology—EUROCRYPT 2005, ed. by R. Cramer. Lecture Notes in Computer Science, vol. 3494 (Springer, Berlin, 2005), pp. 474–490

  47. [47]

    J. Kim, A. Biryukov, B. Preneel, S. Hong, On the security of HMAC and NMAC based on HAVAL, MD4, MD5, SHA-0 and SHA-1, in Security and Cryptography for Networks, ed. by R.D. Prisco, M. Yung. Lecture Notes in Computer Science, vol. 4116 (Springer, Berlin, 2006), pp. 242–256

  48. [48]

    H. Krawczyk, Personal communication, November 2010

  49. [49]

    A. Lenstra, B. de Weger, On the possibility of constructing meaningful hash collisions for public keys, in ACISP 2005, ed. by C. Boyd, J.M.G. Nieto. Lecture Notes in Computer Science, vol. 3574 (Springer, Berlin, 2005), pp. 267–279

  50. [50]

    G. Leurent, MD4 is not one-way, in Fast Software Encryption, ed. by K. Nyberg. Lecture Notes in Computer Science, vol. 5086 (Springer, Berlin, 2008), pp. 412–428

  51. [51]

    S. Lucks, A failure-friendly design principle for hash functions, in Advances in Cryptology—ASIACRYPT 2005, ed. by B. Roy. Lecture Notes in Computer Science, vol. 3788 (Springer, Berlin, 2005), pp. 474–494

  52. [52]

    S. Manuel, T. Peyrin, Collisions on SHA-0 in one hour, in Fast Software Encryption, ed. by K. Nyberg. Lecture Notes in Computer Science, vol. 5086 (Springer, Berlin, 2008), pp. 16–35

  53. [53]

    D.A. McGrew, S.R. Fluhrer, Multiple forgery attacks against message authentication codes. Cryptology ePrint Archive, Report 2005/161, 2005. Available at http://eprint.iacr.org/2005/161 (Accessed on 16/08/2011)

  54. [54]

    A.J. Menezes, P.C. Van Oorschot, S.A. Vanstone, In Handbook of Applied Cryptography, The CRC Press Series on Discrete Mathematics and Its Applications (CRC Press, Boca Raton, 1997), pp. 321–383, Chap. 9

  55. [55]

    R. Merkle, One way hash functions and DES, in Advances in Cryptology: CRYPTO ’89, ed. by G. Brassard. Lecture Notes in Computer Science, vol. 435 (Springer, Berlin, 1989), pp. 428–446

  56. [56]

    R.C. Merkle, Secrecy, authentication, and public key systems. Ph.D. thesis, Dept. of Electrical Engineering, Stanford University, USA, 1979

  57. [57]

    I. Mironov, Collision-resistant no more: hash-and-sign paradigm revisited, in Public Key Cryptography, ed. by M. Yung, Y. Dodis, A. Kiayias, T. Malkin. Lecture Notes in Computer Science, vol. 3958 (Springer, Berlin, 2006), pp. 140–156

  58. [58]

    S. Miyaguchi, K. Ohta, M. Iwata, Confirmation that some hash functions are not collision free, in Advances in Cryptology—EUROCRYPT ’90, ed. by I.B. Damgård. Lecture Notes in Computer Science, vol. 473 (Springer, Berlin, 1990), pp. 326–343

  59. [59]

    M. Naor, M. Yung, Universal one-way hash functions and their cryptographic applications, in Proceedings of the 21st Annual ACM Symposium on Theory of Computing (STOC) (ACM, New York, 1989), pp. 33–43

  60. [60]

    National Institute of Standards and Technology. Federal information processing standard (FIPS PUB 180-3) secure hash standard, 2008. Available at http://csrc.nist.gov/publications/fips/fips180-3/fips180-3_final.pdf (Accessed on 16/08/2011)

  61. [61]

    National Institute of Standards and Technology (NIST). FIPS PUB 186-2: digital signature standard (DSS). 2000. Available at http://csrc.nist.gov/publications/fips/archive/fips186-2/fips186-2.pdf (Accessed on 16/08/2011)

  62. [62]

    National Institute of Standards and Technology (NIST). FIPS PUB 186-3: digital signature standard (DSS), 2009. Available at http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf (Accessed on 16/08/2011)

  63. [63]

    National Institute of Standards and Technology (NIST). FIPS publication 180: secure hash standard (SHS), 1993

  64. [64]

    National Institute of Standards and Technology (NIST). FIPS publication 180-1: secure hash standard (SHS), 1995. Available at http://www.itl.nist.gov/fipspubs/fip180-1.htm (Accessed on 16/08/2011)

  65. [65]

    National Institute of Standards and Technology (NIST). FIPS PUB 180-2: secure hash standard, 2002. Available at http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf (Accessed on 16/08/2011)

  66. [66]

    NIST. Announcing request for candidate algorithm nominations for a new cryptographic hash algorithm (SHA-3) Family. Docket No: 070911510-7512-01, 2007

  67. [67]

    S. Pasini, S. Vaudenay, Hash-and-sign with weak hashing made secure, in ACISP 2007, ed. by J. Pieprzyk, H. Ghodosi, E. Dawson. Lecture Notes in Computer Science, vol. 4586 (Springer, Berlin, 2007), pp. 338–354

  68. [68]

    B. Preneel, R. Govaerts, J. Vandewalle, Hash functions based on block ciphers: a synthetic approach, in Advances in Cryptology–CRYPTO ’93, ed. by D.R. Stinson. Lecture Notes in Computer Science, vol. 773 (Springer, Berlin, 1993), pp. 368–378

  69. [69]

    C. Rechberger, V. Rijmen, On authentication with HMAC and non-random properties, in Financial Cryptography, ed. by S. Dietrich, R. Dhamija. Lecture Notes in Computer Science, vol. 4886 (Springer, Berlin, 2007), pp. 119–133

  70. [70]

    C. Rechberger, V. Rijmen, New results on NMAC/HMAC when instantiated with popular hash functions. J. Univers. Comput. Sci. 14(3), 347–376 (2008)

  71. [71]

    R. Rivest, The MD4 message digest algorithm, in Advances in Cryptology—CRYPTO’90, ed. by A. Menezes, S.A. Vanstone. Lecture Notes in Computer Science, vol. 537 (Springer, Berlin, 1991), pp. 303–311

  72. [72]

    R. Rivest, The MD5 message-digest algorithm. Internet request for comment RFC 1321, Internet engineering task force, 1992

  73. [73]

    P. Rogaway, T. Shrimpton, Cryptographic hash-function basics: definitions, implications, and separations for preimage resistance, second-preimage resistance, and collision resistance, in Fast Software Encryption, ed. by B.K. Roy, W. Meier. Lecture Notes in Computer Science, vol. 3017 (Springer, Berlin, 2004), pp. 371–388

  74. [74]

    R.S.A. Laboratories, PKCS #1 v2.1: RSA cryptography standard. RSA data security, Inc., 2002. Available at ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1.pdf (Accessed on 16/08/2011)

  75. [75]

    Y. Sasaki, Cryptanalyses of narrow-pipe mode of operation in AURORA-512 hash function, in Selected Areas in Cryptography, ed. by M.J. Jacobson Jr., V. Rijmen, R. Safavi-Naini. Lecture Notes in Computer Science, vol. 5867 (Springer, Berlin, 2009), pp. 36–52

  76. [76]

    Y. Sasaki, Cryptanalyses of double-mix Merkle–Damgård mode in the original version of AURORA-512. IEICE Trans. A 94(1), 121–128 (2011)

  77. [77]

    Y. Sasaki, K. Aoki, Finding preimages in full MD5 faster than exhaustive search, in Advances in Cryptology—EUROCRYPT 2009, ed. by A. Joux. Lecture Notes in Computer Science, vol. 5479 (Springer, Berlin, 2009), pp. 134–152

  78. [78]

    V. Shoup, A composition theorem for universal one-way hash functions, in Advances in Cryptology—EUROCRYPT 2000, ed. by B. Preneel. Lecture Notes in Computer Science, vol. 1807 (Springer, Berlin, 2000), pp. 445–452

  79. [79]

    M. Stevens, A.K. Lenstra, B. de Weger, Chosen-prefix collisions for MD5 and colliding X.509 certificates for different identities, in Advances in Cryptology—EUROCRYPT 2007, ed. by M. Naor. Lecture Notes in Computer Science, vol. 4515 (Springer, Berlin, 2007), pp. 1–22

  80. [80]

    M. Stevens, A. Sotirov, J. Appelbaum, A. Lenstra, D. Molnar, D.A. Osvik, B. de Weger, Short chosen-prefix collisions for MD5 and the creation of a rogue CA certificate, in Advances in Cryptology—CRYPTO 2009, ed. by S. Halevi. Lecture Notes in Computer Science, vol. 5677 (Springer, Berlin, 2009), pp. 55–69

  81. [81]

    X. Wang, D. Feng, X. Lai, H. Yu, Collisions for hash functions MD4, MD5, HAVAL-128 and RIPEMD. Cryptology ePrint archive, Report 2004/199, 2004. Available at http://eprint.iacr.org/2004/199 (Accessed on 16/08/2011)

  82. [82]

    X. Wang, X. Lai, D. Feng, H. Chen, X. Yu, Cryptanalysis of the hash functions MD4 and RIPEMD, in Advances in Cryptology—EUROCRYPT 2005, ed. by R. Cramer. Lecture Notes in Computer Science, vol. 3494 (Springer, Berlin, 2005), pp. 1–18

  83. [83]

    X. Wang, Y.L. Yin, H. Yu, Efficient collision search attacks on SHA-0, in Advances in Cryptology—CRYPTO 2005, ed. by V. Shoup. Lecture Notes in Computer Science, vol. 3621 (Springer, Berlin, 2005), pp. 1–16

  84. [84]

    X. Wang, Y.L. Yin, H. Yu, Finding collisions in the full SHA-1, in Advances in Cryptology—CRYPTO 2005, ed. by V. Shoup. Lecture Notes in Computer Science, vol. 3621 (Springer, Berlin, 2005), pp. 17–36

  85. [85]

    X. Wang, H. Yu, How to break MD5 and other hash functions, in Advances in Cryptology—EUROCRYPT 2005, ed. by R. Cramer. Lecture Notes in Computer Science, vol. 3494 (Springer, Berlin, 2005), pp. 19–35

  86. [86]

    X. Wang, H. Yu, W. Wang, H. Zhang, T. Zhan, Cryptanalysis of HMAC/NMAC-MD5 and MD5-MAC, in Advances in cryptology-EUROCRYPT 2009, ed. by A. Joux. Lecture Notes in Computer Science, vol. 5479 (Springer, Berlin, 2009), pp. 121–133

  87. [87]

    K. Yasuda, How to fill up Merkle–Damgård hash functions, in Advances in Cryptology—ASIACRYPT 2008, ed. by J. Pieprzyk. Lecture Notes in Computer Science, vol. 5350 (Springer, Berlin, 2008), pp. 272–289

Download references

Author information

Correspondence to Praveen Gauravaram.

Additional information

This paper was solicited from EUROCRYPT 2009.

Communicated by Antoine Joux

Rights and permissions

Reprints and Permissions

About this article

Cite this article

Gauravaram, P., Knudsen, L.R. Security Analysis of Randomize-Hash-then-Sign Digital Signatures. J Cryptol 25, 748–779 (2012). https://doi.org/10.1007/s00145-011-9109-y

Download citation

Key words

  • Collision resistance
  • Compression function
  • Davies–Meyer
  • Digital signature
  • Hash function
  • Merkle–Damgård
  • Randomized hashing
  • RMX
  • Second preimage resistance
  • SHA-3 hash function competition