Hash Functions: From Merkle-Damgård

to ShoupIlya Mironov, Stanford University

Collision-resistant functionsFamily of functions fK:DR

Hard to win this game:Attacker Challenger

kK - random

(x,y)

fk(x)=fk(y)

Collision-resistant functions can be used for:

Signature schemes

Commitment schemes

Alice Bobx

fk(x)—commitment to x

Given a signature algorithm σ(S), where |S| is fixed, we can sign any message σ(fk(M)).

Good news: CRF can be built Based on number-theoretic assumptions:

Factoring: f(x)=(3F16||x)2 mod N.

Discrete log: f(x||y)=gxhy. Claw-free permutations

Hard to find f(x)=g(y)

Bad news: practical CRF hard to construct

MD4—broken MD5—a serious weakness found Flaw in the original SHA

Useful alternative: UOWHFs

Attacker Challenger

kK- random

y

fk(x)=fk(y)

Family of functions fK:DR

Hard to win this game:

x

WUFs good for Signature schemes

Given an existentially secure signature algorithm σ(S),

where |S| is fixed, we can sign any message with k,σ(k,fk(M)), where k is chosen at random.

Reason: It is hard to find fk(M1)=fk(M) for a random k.

WUFs can be built from One-way functions One-way permutation Collision-resistant functions

Oracle separation Simon’98:

There is an oracle relative to which one-waypermutations exist but not CRFs.

Interpretation:No “black box” construction of a CRF based on a WUF.

Conclusion:A CRF is a strictly stronger primitive than a WUF.

A family of CRFs (WUFs) We want to make one, concrete

assumption, for instance: It is infeasible to find a collision (second preimage) in SHA-1.

Then derive a family of functions that take inputs of different lengths and hash it to a fixed length output.

Good news: CRFs families are easy to construct

Merkle-Damgård construction:

M0

IV Hk Hk

M1

Hk

M2

Hk

M3

output

Bad news:Not so easy for WUF families Merkle-Damgård construction fails on

WUFs.(we cannot plug in a weaker primitive in the construction)

due to M. Bellare and P. Rogaway’97.

Shoup construction M0,M1,…,ML—masks (tags).

x0

IV Hk Hk

x1

Hk

x2

Hk

x3

Hk

x4

Hk

x5

M0

M1

M0

M2

M0

M1

Example RSA signature (H is a CRF):

S=H(M)e mod N. If we use a WUF (SHA-1, Shoup scheme):

S=K || (hK´(K)||hK(M))e mod N.

CRF WUF

|M|=1Kb |S|=1Kb |S|=1.81Kb

1Mb 1Kb 3.22Kb

1Gb 1Kb 4.87Kb

Difficult choice: CRFs

Theoretically and practically harder to construct

Have efficient composition scheme

WUFs Easier to construct

Don’t have efficient composition scheme

Continuum of functions Commit to some bits of x:

Attacker Challenger

kK- random

x0x0

x1,yx1

y1 fk(x1,x0)=fk(y)

Class H(nm;l) |y|=|x0|+|x1|=n

|x1|=l — flexibility

Output of f has length m.Attacker Challenger

kK- random

x1,y

fk(x1,x0)=fk(y)

x0x0

x1

y1

H(nm;0) and H(nm;n) have names

H(nm;0) is a WUFAttacker Challenger

kK- random

y,x1=λ

fk(x)=fk(y)

x0=x

H(nm;0) and H(nm;n) have names

H(nm;n) is a CRFAttacker Challenger

kK- random

y,x1=x

fk(x)=fk(y)

x0=λ

Merkle-Damgård construction Works (with a minor modification) for

H(nm;m)

M1

M0Hk Hk

M2

Hk

M3

Hk

M4

output

Jump somewhere? CRFs and WUFs can be separated.

Where?H(nm;0) H(nm;1)… H(nm;n)

Separation H(nm;0)…H(nm;m+O(log m)) — one

class of theoretic-complexity equivalence H(nm;m+mc)…H(nm;n) — another

class The gap does not exist if there are

“ideally secure” WUFs.

Another approach Can the Shoup construction be

improved?x0

IV Hk Hk

x1

Hk

x2

Hk

x3

Hk

x4

Hk

x5

Mν(0) Mν(1)

Mν(2)

Mν(3)

Mν(4)

Mν(5)

Function is optimal The function

ν(k)=highest power of 2 dividing k is optimal. Constructive proof + counting argument

Open question How short can a key of a family of WUFs

be? Conjecture:

key length must be Ω(log m)

Reason: It can’t be a coincidence!