A Framework for Iterative Hash Functions - HAIFA

Since the seminal works of Merkle and Damgard on the iter- ation of compression functions, hash functions were built from compres- sion functions using the Merkle-Damgard construction. Recently, several flaws in this construction were identified, allowing for second pre-image attacks and chosen target pre-image attacks on such hash functions even when the underlying compression functions are secure. In this paper we propose the HAsh Iterative FrAmework (HAIFA). Our framework can fix many of the flaws while supporting several additional properties such as defining families of hash functions and supporting variable hash size. HAIFA allows for an online computation of the hash function in one pass with a fixed amount of memory independently of the size of the message. Besides our proposal, the recent attacks initiated research on the way compression functions are to be iterated. We show that most recent pro- posals such as randomized hashing, the enveloped Merkle-Damgard, and the RMC and ROX modes can be all be instantiated as part of the HAsh Iterative FrAmework (HAIFA).

[1]  Adi Shamir,et al.  Breaking the ICE - Finding Multicollisions in Iterated Concatenated and Expanded (ICE) Hash Functions , 2006, FSE.

[2]  Antoine Joux,et al.  Collisions of SHA-0 and Reduced SHA-1 , 2005, EUROCRYPT.

[3]  Mihir Bellare,et al.  Multi-Property-Preserving Hash Domain Extension and the EMD Transform , 2006, ASIACRYPT.

[4]  Xiaoyun Wang,et al.  Finding Collisions in the Full SHA-1 , 2005, CRYPTO.

[5]  Stefan Lucks,et al.  A Failure-Friendly Design Principle for Hash Functions , 2005, ASIACRYPT.

[6]  Ivan Damgård,et al.  A Design Principle for Hash Functions , 1989, CRYPTO.

[7]  Douglas R. Stinson,et al.  Multicollision Attacks on Generalized Hash Functions , 2004, IACR Cryptol. ePrint Arch..

[8]  Antoine Joux,et al.  Differential Collisions in SHA-0 , 1998, CRYPTO.

[9]  Hui Chen,et al.  Cryptanalysis of the Hash Functions MD4 and RIPEMD , 2005, EUROCRYPT.

[10]  Gideon Yuval,et al.  How to Swindle Rabin , 1979, Cryptologia.

[11]  Mihir Bellare,et al.  Collision-Resistant Hashing: Towards Making UOWHFs Practical , 1997, CRYPTO.

[12]  Douglas R. Stinson,et al.  Multicollision Attacks on Some Generalized Sequential Hash Functions , 2007, IEEE Transactions on Information Theory.

[13]  Hugo Krawczyk,et al.  Strengthening Digital Signatures Via Randomized Hashing , 2006, CRYPTO.

[14]  Xiaoyun Wang,et al.  Efficient Collision Search Attacks on SHA-0 , 2005, CRYPTO.

[15]  Bruce Schneier,et al.  Second Primages on n-bit Hash Functions for Much Less than 2n Work | NIST , 2005 .

[16]  John Kelsey,et al.  Herding Hash Functions and the Nostradamus Attack , 2006, EUROCRYPT.

[17]  Ralph C. Merkle,et al.  One Way Hash Functions and DES , 1989, CRYPTO.

[18]  Ralph C. Merkle,et al.  Secrecy, authentication, and public key systems , 1979 .

[19]  Bruce Schneier,et al.  Second Preimages on n-bit Hash Functions for Much Less than 2n Work , 2005, IACR Cryptol. ePrint Arch..

[20]  Xiaoyun Wang,et al.  How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.

[21]  Andrew W. Appel,et al.  Formal aspects of mobile code security , 1999 .

[22]  Thomas Shrimpton,et al.  Cryptographic Hash-Function Basics: Definitions, Implications, and Separations for Preimage Resistance, Second-Preimage Resistance, and Collision Resistance , 2004, FSE.

[23]  Eli Biham,et al.  Near-Collisions of SHA-0 , 2004, CRYPTO.