Abstract
We present new, efficient and practical schemes for construction of collision-resistant hash functions, and analyze some simple methods for combining existing hash-function designs so as to enhance their security.
In our new constructions, we first map the input to a slightly longer string using a primitive we introduce called secure stretch functions. These are length-increasing almost surely injective one-way functions that sufficiently randomize their inputs so that it is hard for an adversary to force the outputs to fall into a target set. Then we apply a compression function to the output of the stretch function. We analyze the security of these constructions under different types of assumptions on both stretch and compression functions. These assumptions combine random-function models, intractability of certain “biasing” tasks, and the degeneracy structure of compression functions. The use of stretching seems to allow reduced requirements on the compression function, and may be of independent interest.
These constructions allow one to use popular and efficient primitives such as MD5, SHA-1, and RIPEMD that may exhibit weaknesses as collision-resistant functions. But no attacks are currently known on their one-way and randomizing properties, when they are used as stretch functions as in our constructions. There are several collision-resistant hash functions based on des for which there are no known effective attacks, but which are too slow for most practical applications. Our use of stretch functions enable us to base our compression function on des so that the resulting hash function achieves practical speeds: a test implementation runs at 40% of the speed of MD5.
We also suggest some imperfect random-oracle models, showing how to build better primitives from given imperfect ones. In this vein, we also analyze how to defend against a collision-finding adversary for a given primitive by building “independent” primitives.
Part of this work was done while with Bellcore and Surety.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
W. Aiello and R. Venkatesan. Foiling birthday attacks in length-doubling transformations. In Advances in Cryptology—Eurocrypt’ 96, Lecture Notes in Computer Science, Vol. 1070, ed. U.M. Maurer, pp. 307–320 (Springer-Verlag, 1996).
R. Anderson and E. Biham. Tiger: A Fast New Hash Function, In Fast Software Encryption 3, Lecture Notes in Computer Science, Vol. 1039 (Springer-Verlag, 1996).
A. Bosselaers, R. Govaerts, J. Vandewalle. Fast hashing on the Pentium. In Advances in Cryptology—Crypto’ 96, ed. N. Koblitz, Lecture Notes in Computer Science, Vol. 1109, pp. 298–312 (Springer-Verlag, 1996).
A. Bosselaers and B. Preneel (eds.). Integrity Primitives for secure information systems: Final report of RACE Integrity Primitives Evaluation (RIPE-RACE 1040), Chapter 3: RIPEMD. Lecture Notes in Computer Science, Vol. 1007 (Springer-Verlag, 1995).
B. O. Brachtl, D. Coppersmith, M. M. Hyden, S. M. Matyas, Jr., C. H. W. Meyer, J. Oseas, Sh. Pilpel, and M. Shilling. Data authentication using modification detection codes based on a public one way encryption function. U.S. Patent No. 4,908,861, issued March 13, 1990. (Described in: C. H. Meyer and M. Shilling, Secure program load with modification detection code, In Securicom 88: 6ème Congrès mondial de la protection et de la sécurité informatique et des communications, pp. 111–130 (Paris, 1988).)
G. Brassard and M. Yung. One-way group actions. In Advances in Cryptology—Crypto’ 90, Lecture Notes in Computer Science, Vol. 537, pp. 94–107, (Springer-Verlag, 1991).
D. Coppersmith. Another birthday attack. In Advances in Cryptology—Crypto’ 85, Lecture Notes in Computer Science, Vol. 218, pp. 14–17, (Springer-Verlag, 1986).
I. Damgard. Collision-free hash functions and public-key signature schemes. In Advances in Cryptology—Eurocrypt’ 87, Lecture Notes in Computer Science, Vol. 304, pp. 203–217, Springer-Verlag (1988).
I. Damgard. A design principle for hash functions. In Advances in Cryptology—Crypto’ 89, Lecture Notes in Computer Science, Vol. 435, pp. 416–427, Springer-Verlag (1988).
H. Dobbertin. Cryptanalysis of MD4. In Fast Software Encryption, Lecture Notes in Computer Science, Vol. 1039, ed. D. Gollman, pp. 53–69, Springer-Verlag (1996).
H. Dobbertin. Cryptanalysis of MD5 compress. Rump Session of Eurocrypt’ 96, presented by B. Preneel (May 1996). (Available at http://www.iacr.org/conferences/ec96/rump/.)
H. Dobbertin. The status of MD5 after a recent attack. CrytoBytes, Vol. 2, No. 2 (Summer 1996). (Available at http://www.rsa.com/rsalabs/-pubs/cryptobytes/.)
H. Dobbertin. RIPEMD with two-round compress function is not collision-free. Journal of Cryptology, Vol. 10, No. 1, pp. 51–69 (1997).
H. Dobbertin. The first two rounds of MD4 are not one-way. In Fast Software Encryption, Lecture Notes in Computer Science, Springer-Verlag (to appear).
H. Dobbertin, A. Bosselaers, and B. Preneel. RIPEMD-160: A strengthened version of RIPEMD. In Fast Software Encryption, Lecture Notes in Computer Science, Vol. 1039, pp. 71–82, Springer-Verlag (1996).
O. Goldreich, S. Goldwasser, and S. Halevi. Collision-free hashing from lattice problems. Theory of Cryptography Library, Record 96-09. (Available at http://theory.lcs.mit.edu/~tcryptol/.)
L. Knudsen, B. Preneel. Fast and secure hashing based on codes. In Advances in Cryptology—Crypto’ 97, Lecture Notes in Computer Science, Vol. 1294, pp. 485–498, Springer-Verlag (1997).
S.M. Matyas, C.H. Meyer, and J. Oseas. Generating strong one-way functions with cryptographic algorithm. IBM Technical Disclosure Bulletin, vol. 27, pp. 5658–5659 (1985).
A. Menezes, P. van Oorschot, S. Vanstone. Handbook of Applied Cryptography (CRC Press, 1997).
R.C. Merkle. Protocols for public key cryptosystems. In Proc. 1980 Symposium on Security and Privacy, IEEE Computer Society, pp. 122–133 (April 1980).
R.C. Merkle. One-way hash functions and DES. In Advances in Cryptology—Crypto’ 89, Lecture Notes in Computer Science, Vol. 435, pp. 428–446 (Springer-Verlag, 1990).
R.C. Merkle. A fast software one-way hash function. Journal of Cryptology, Vol. 3, pp. 43–58 (1990).
R.C. Merkle and M. Hellman. On the security of multiple encryption. Communications of the ACM, Vol. 24, No. 7, pp. 465–467 (July 1981).
S. Miyaguchi, K. Ohta, and M. Iwata. 128-bit hash function (N-hash). NTT Review, vol. 2, pp. 128–132 (1990).
M. Naor and M. Yung. Universal one-way hash functions and their cryptographic applications. In Proceedings of the 21st Symposium on Theory of Computing, pp. 33–43 (ACM, 1989).
National Institute of Standards and Technology. Secure Hash Standard. NIST Federal Information Processing Standard Publication 180-1 (May 1994).
M. Peinado, R. Venkatesan. Highly parallel cryptographic attacks. In Recent Advances in Parallel Virtual Machine and Message Passing Interface (EuroPVM-MPI’97), Lecture Notes in Computer Science (Springer-Verlag, 1997).
B. Preneel. Analysis and Design of Cryptographic Hash Functions. Ph.D. dissertation, Katholieke Universiteit Leuven (January 1993).
B. Preneel, private communication (1997).
B. Preneel, R. Govaerts, J. Vandewalle. Hash functions based on block ciphers: A synthetic approach. In Advances in Cryptology—Crypto’ 93, Lecture Notes in Computer Science, Vol. 773, pp. 368–378 (Springer-Verlag, 1991).
B. Preneel, R. Govaerts, J. Vandewalle. Differential cryptanalysis of hash functions based on block ciphers. In Proceedings of the 1st ACM Conference on Computer and Communications Security, pp. 183–188 (ACM, 1993).
M.O. Rabin. Digitalized signatures. In Foundations of Secure Computation, eds. R. Lipton, R. DeMillo, pp. 155–166 (Academic Press, 1978).
V. Rijmen, B. Preneel. Improved characteristics for differential cryptanalysis of hash functions based on block ciphers. In Fast Software Encryption, Lecture Notes in Computer Science, Vol. 1008, pp. 242–248 (Springer-Verlag, 1995).
R. Rivest. The MD4 message digest algorithm. In Advances in Cryptology—Crypto’ 90, Lecture Notes in Computer Science, Vol. 537, pp. 303–311, (Springer-Verlag, 1991).
R. Rivest. The MD5 Message-Digest Algorithm. Internet Network Working Group Request for Comments 1321 (April 1992).
Surety Technologies, Inc. Answers to Frequently Asked Questions about the Digital Notary™ System. http://www.surety.com (since January 1995).
P. van Oorschot and M. Wiener. Parallel collision search with applications to hash functions and discrete logarithms. In Proceedings of the 2nd ACM Conference on Computer and Communication Security, pp. 210–218 (ACM Press, 1994).
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 1998 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Aiello, W., Haber, S., Venkatesan, R. (1998). New Constructions for Secure Hash Functions. In: Vaudenay, S. (eds) Fast Software Encryption. FSE 1998. Lecture Notes in Computer Science, vol 1372. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-69710-1_11
Download citation
DOI: https://doi.org/10.1007/3-540-69710-1_11
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-64265-7
Online ISBN: 978-3-540-69710-7
eBook Packages: Springer Book Archive