On Randomizing Hash Functions to Strengthen the Security of Digital Signatures

Halevi and Krawczyk proposed a message randomization algorithm called RMX as a front-end tool to the hash-then-sign digital signature schemes such as DSS and RSA in order to free their reliance on the collision resistance property of the hash functions. They have shown that to forge a RMX-hash-then-sign signature scheme, one has to solve a cryptanalytical task which is related to finding second preimages for the hash function. In this article, we will show how to use Dean's method of finding expandable messages for finding a second preimage in the Merkle-Damgard hash function to existentially forge a signature scheme based on a t -bit RMX-hash function which uses the Davies-Meyer compression functions (e.g., MD4, MD5, SHA family) in 2 t /2 chosen messages plus 2 t /2 + 1 off-line operations of the compression function and similar amount of memory. This forgery attack also works on the signature schemes that use Davies-Meyer schemes and a variant of RMX published by NIST in its Draft Special Publication (SP) 800-106. We discuss some important applications of our attack.

[1]  Mihir Bellare,et al.  Collision-Resistant Hashing: Towards Making UOWHFs Practical , 1997, CRYPTO.

[2]  Bruce Schneier One-way hash functions , 1991 .

[3]  Eli Biham,et al.  TIGER: A Fast New Hash Function , 1996, FSE.

[4]  Alfred Menezes,et al.  The Elliptic Curve Digital Signature Algorithm (ECDSA) , 2001, International Journal of Information Security.

[5]  Hugo Krawczyk,et al.  Keying Hash Functions for Message Authentication , 1996, CRYPTO.

[6]  Ed Dawson,et al.  Attacks on MD5 and SHA-1: Is this the "Sword of Damocles" for Electronic Commerce? , 2006 .

[7]  Ronald L. Rivest,et al.  The MD4 Message-Digest Algorithm , 1990, RFC.

[8]  Hugo Krawczyk,et al.  Implementing the Halevi-Krawczyk Randomized Hashing Scheme , 2007 .

[9]  Marc Stevens,et al.  Chosen-Prefix Collisions for MD5 and Colliding X.509 Certificates for Different Identities , 2007, EUROCRYPT.

[10]  Ilya Mironov,et al.  Collision-Resistant No More: Hash-and-Sign Paradigm Revisited , 2006, Public Key Cryptography.

[11]  Hugo Krawczyk,et al.  Strengthening Digital Signatures Via Randomized Hashing , 2006, CRYPTO.

[12]  Eli Biham,et al.  A Framework for Iterative Hash Functions - HAIFA , 2007, IACR Cryptol. ePrint Arch..

[13]  Dan Boneh,et al.  Digital Signature Standard , 2005, Encyclopedia of Cryptography and Security.

[14]  Xiaoyun Wang,et al.  How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.

[15]  Dan Boneh,et al.  Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups , 2008, Journal of Cryptology.

[16]  Kazuo Ohta,et al.  Confirmation that Some Hash Functions Are Not Collision Free , 1991, EUROCRYPT.

[17]  Kan Yasuda,et al.  How to Fill Up Merkle-Damgård Hash Functions , 2008, ASIACRYPT.

[18]  Joos Vandewalle,et al.  Hash Functions Based on Block Ciphers: A Synthetic Approach , 1993, CRYPTO.

[19]  Bruce Schneier,et al.  Second Preimages on n-bit Hash Functions for Much Less than 2n Work , 2005, IACR Cryptol. ePrint Arch..

[20]  Andrew W. Appel,et al.  Formal aspects of mobile code security , 1999 .

[21]  J. Leasure,et al.  Announcing request for candidate algorithm nominations for a new cryptographic hash algorithm (SHA-3 , 2007 .

[22]  Xuejia Lai,et al.  Security of Iterated Hash Functions Based on Block Ciphers , 1994, CRYPTO.

[23]  Charles Cresson Wood,et al.  Security for computer networks : D.W. Davies and W.L. Price New York: John Wiley and Sons, 1984. 386 + xix pages, $19.50 , 1985, Computers & security.

[24]  Hugo Krawczyk,et al.  The RMX Transform and Digital Signatures ∗ , 2006 .

[25]  Xiaoyun Wang,et al.  Finding Collisions in the Full SHA-1 , 2005, CRYPTO.

[26]  Arjen K. Lenstra,et al.  On the Possibility of Constructing Meaningful Hash Collisions for Public Keys , 2005, ACISP.

[27]  Eric Rescorla,et al.  Deploying a New Hash Algorithm , 2006, NDSS.

[28]  Ralph C. Merkle,et al.  One Way Hash Functions and DES , 1989, CRYPTO.

[29]  Selim G. Akl,et al.  On the Security of Compressed Encodings , 1983, CRYPTO.

[30]  Quynh H. Dang SP 800-106. Randomized Hashing for Digital Signatures , 2009 .

[31]  Serge Vaudenay,et al.  Hash-and-Sign with Weak Hashing Made Secure , 2007, ACISP.

[32]  Ivan Damgård,et al.  A Design Principle for Hash Functions , 1989, CRYPTO.

[33]  Donald W. Davies,et al.  Security for computer networks - an introduction to data security in teleprocessing and electronic funds transfer (2. ed.) , 1989, Wiley series in communication and distributed systems.

[34]  Stefan Lucks,et al.  A Failure-Friendly Design Principle for Hash Functions , 2005, ASIACRYPT.

[35]  Dag Arne Osvik,et al.  MD5 considered harmful today, creating a rogue CA certificate , 2008 .

[36]  Florian Mendel,et al.  Symmetric Cryptography , 2009 .

[37]  Ronald L. Rivest,et al.  The MD5 Message-Digest Algorithm , 1992, RFC.

[38]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..