Practical Hash Functions Constructions Resistant to Generic Second Preimage Attacks Beyond the Birthday Bound

Most cryptographic hash functions rely on a simpler primitive called a compression function, and in nearly all cases, there is a reduction between some of the security properties of the full hash function and those of the compression function. For instance, a celebrated result of Merkle and Damg ard from 1989 states that a collision on the hash function cannot be found without nding a collision on the compression function at the same time. This is however not the case for another basic requirement, namely second preimage resistance. In fact, on many popular hash functions it is possible to nd a second preimage on the iteration without breaking the compression function. This paper studies the resistance of two practical modes of operations of hash functions against such attacks. We prove that the known generic second preimage attacks against the Merkle-Damg ard construction are optimal, and that there is no generic second preimage attack faster than exhaustive search on Haifa, a recent proposal by Biham and Dunkelman.

[1]  Moni Naor,et al.  Universal one-way hash functions and their cryptographic applications , 1989, STOC '89.

[2]  Ueli Maurer,et al.  Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology , 2004, TCC.

[3]  Antoine Joux,et al.  Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions , 2004, CRYPTO.

[4]  Joos Vandewalle,et al.  Hash Functions Based on Block Ciphers: A Synthetic Approach , 1993, CRYPTO.

[5]  Victor Shoup,et al.  A Composition Theorem for Universal One-Way Hash Functions , 2000, EUROCRYPT.

[6]  Bruce Schneier,et al.  Second Preimages on n-bit Hash Functions for Much Less than 2n Work , 2005, IACR Cryptol. ePrint Arch..

[7]  Stefan Lucks,et al.  A Failure-Friendly Design Principle for Hash Functions , 2005, ASIACRYPT.

[8]  John Kelsey,et al.  Herding Hash Functions and the Nostradamus Attack , 2006, EUROCRYPT.

[9]  Ralph C. Merkle,et al.  One Way Hash Functions and DES , 1989, CRYPTO.

[10]  Mihir Bellare,et al.  Collision-Resistant Hashing: Towards Making UOWHFs Practical , 1997, CRYPTO.

[11]  John Kelsey,et al.  Second Preimage Attacks on Dithered Hash Functions , 2008, EUROCRYPT.

[12]  John Black,et al.  Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV , 2002, CRYPTO.

[13]  Kan Yasuda,et al.  How to Fill Up Merkle-Damgård Hash Functions , 2008, ASIACRYPT.

[14]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[15]  Andrew W. Appel,et al.  Formal aspects of mobile code security , 1999 .

[16]  Thomas Shrimpton,et al.  Cryptographic Hash-Function Basics: Definitions, Implications, and Separations for Preimage Resistance, Second-Preimage Resistance, and Collision Resistance , 2004, FSE.

[17]  Mihir Bellare,et al.  Multi-Property-Preserving Hash Domain Extension and the EMD Transform , 2006, ASIACRYPT.

[18]  Ronald L. Rivest,et al.  Abelian square-free dithering for iterated hash functions , 2005 .

[19]  Ivan Damgård,et al.  A Design Principle for Hash Functions , 1989, CRYPTO.

[20]  Bart Preneel,et al.  A Three-Property-Secure Hash Function , 2008, Selected Areas in Cryptography.

[21]  Donghoon Chang,et al.  Improved Indifferentiability Security Analysis of chopMD Hash Function , 2008, FSE.

[22]  Eli Biham,et al.  A Framework for Iterative Hash Functions - HAIFA , 2007, IACR Cryptol. ePrint Arch..

[23]  Jean-Sébastien Coron,et al.  Merkle-Damgård Revisited: How to Construct a Hash Function , 2005, CRYPTO.