A new Design Criteria for Hash-Functions

Transcription

1 A new Design Criteria or Hash-Functions Jean-Sébastien Coron 1, Yevgeniy Dodis 2, Cécile Malinaud 3, and Prashant Puniya 2 1 University o Luxembourg, coron@clipper.ens.r 2 New-York University, {dodis,puniya}@cs.nyu.edu 3 Gemplus Card International, cecile.malinaud@normalesup.org Abstract. The most common way o constructing a hash unction (e.g., SHA-1) is to iterate a compression unction on the input message. The compression unction is usually designed rom scratch or made out o a block-cipher. In this paper, we introduce a new security notion or hash-unctions, stronger than collision-resistance. Under this notion, the arbitrary length hash unction H must behave as a random oracle when the ixed-length building block is viewed as an ideal primitive. This enables to eliminate all possible generic attacks against iterative hash-unctions. In this paper, we show that the current design principle behind hash unctions such as SHA-1 and MD5 the (strengthened) Merkle-Damgård transormation does not satisy this security notion. We provide several constructions that provably satisy this notion; those new constructions introduce minimal changes to the plain Merkle-Damgård construction and are easily implementable in practice. This paper is a modiied version o a paper to appear at Crypto Introduction Hash Function Design. The most common way o constructing a hash unction is to iterate a compression unction on the input message. The compression unction is usually designed rom scratch or made out o a block-cipher. More precisely, an arbitrary-length hash unction is built by irst heuristically constructing a ixed-length building block, such as a ixed-length compression unction or a block cipher, and then iterating this building block in some manner to extend the input domain arbitrarily. For example, SHA-1 [17], MD5 [19], as well as all the other hash unction we know o, are constructed by applying some variant o the Merkle-Damgård construction to an underlying compression unction : {0,1} n+κ {0,1} n (see Figure 5): Function H(m 1,...,m l ) : let y 0 = 0 n (more generally, some ixed IV value can be used) or i = 1 to l do y i (y i 1,m i ) return y l When the number o κ-bit message blocks l is not ixed, one essentially appends an extra block m l+1 containing the binary representation m o the length o the message (prepended by 1 and a string o 0 s in order to make everything a multiple o κ; the exact details will not matter or our discussion). The ixed-length compression unction can either be constructed rom scratch or made out o a block-cipher E via the Davies-Meyer construction (see [32] and Figure 9): (x,y) = E y (x) x. For example, the SHA-1 compression unction was designed speciically or hashing, but a block-cipher can nevertheless be derived rom it, as illustrated in [21]. It is well known that this construction is vulnerable to a so-called message expansion attack : given the hash o m, one can easily compute the hash o m y or any arbitrary block Supported by NSF CAREER Award CCR and TC Grant No. CCR Supported by NSF Cybertrust/DARPA Grant No. CNS

2 y. Let us illustrate this attack with a well known example. A common suggestion to construct a MAC algorithm is to simply include a secret key k as part o the input o the hash unction, and take or example MAC(k,m) = H(k m). It is easy to see that this construction is secure when H is modelled as a random oracle [4], as no adversary can output a MAC orgery except with negligible probability. However, this MAC scheme is completely insecure or any Merkle-Damgård construction considered so ar (including Merkle-Damgård strengthening used in current hash unctions such as SHA-1, and any o the 64 block-cipher based variants o iterative hash-unctions considered in [30, 9]), no matter which (ideal) compression unction (or a block cipher E) is used. Namely, given MAC(k,m) = H(k m), one can extend the message m with any single arbitrary block y and deduce MAC(k, m y) = H(k m y) without knowing the secret key k (even with Merkle-Damgård strengthening, one could still orge the MAC by more or less setting y = m, where the actual block depends on the exact details o the strengthening). This (well known) example illustrates that the construction o a MAC rom an iterated hash unction requires a speciic analysis, and cannot be derived rom the security o this MAC with a monolithic hash unction H. One can view this message expansion attack as a generic attack since it applies or any compression unction or blockcipher used in the Merkle-Damgård construction. We believe that a good design criteria or hash-unctions should eliminate all possible generic attacks. It is well known that or the particular case o MACs one should use the HMAC nested construction [8] in order to avoid the previous message expansion attack. However, there may exist other applications and protocols which may be secure when the hash unction H is seen as a monolithic hash unction, but completely insecure when an iterative Merkle-Damgård hash unction is used instead. More precisely, a proo in the random oracle model [4] indicates that no attacker can break the scheme when when H is seen as a monolithic random oracle, but it does not say anything when an iterated hash unction built rom a some smaller building block is used instead. Since the real implementation o H as an iterated hash unction has much more structure than a random monolithic hash unction would have, this structure could possibly help the attacker and somehow invalidate the proo in the random oracle model. To put this into a dierent perspective, all the ad-hoc (and hopeully secure ) design eort or widely used hash unctions such as SHA-1 has been placed into the design o the ixed-length building block (or E). On the other hand, even i (or E) were assumed to be ideal, the current proos in the random oracle model do not guarantee the security o the resulting system when such iterated hash unction H is used! To summarize, we believe that a good design criteria or hash unctions is to eliminate all possible generic attacks right rom the beginning, and not to rely on ad-hoc constructions in order to eliminate those generic attacks. Our Goals. Our goal is two-old. First, we would like to obtain a design criteria or hashunctions that would rule out all possible generic attacks. In other words, an adversary should not be able to take advantage o the iterative structure o the hash-unction. Second, while the design criteria we seek should not be too speciic to some variant o the Merkle-Damgård transormation, we would like to give secure constructions which resemble what is done in practice as much as possible. Unortunately, we already argued that the current design principle behind hash unctions such as SHA-1 and MD5 the (strengthened) Merkle-Damgård transormation will not be secure or our ambitious goal. Thereore, instead o giving new and practically unmotivated constructions, our secondary goal is to come up with minimal and easily implementable in practice changes to the plain Merkle-Damgård construction, which would satisy our security deinition. Our results. This paper is a modiied version o a paper to appear at Crypto 2005 [13]. First, we give a satisactory deinition o what it means to implement an arbitrary-length hash-unction that resists all possible generic attacks. Intuitively, an iterative hash-unction should behave as a truly random hash unction, that is, it should emulate a random oracle. The random oracle model has been introduced by Bellare and Rogaway as a paradigm or

3 designing eicient protocols [4]. It assumes that all parties, including the adversary, have access to a public, truly random hash unction H. This model has been proven extremely useul or designing simple, eicient and highly practical solutions or many problems. We provide a ormal deinition o what is means to emulate a random oracle H rom a ixedlength building block or E. Our deinition is based on the indierentiability ramework o Maurer et al. [24]. The key property o this deinition is that i a particular construction o H rom (or E) meets this deinition, then any application proven secure assuming H is a random oracle would remain secure i we plug in our construction (although still assuming that the underlying ixed-length primitive or E was ideal). In other words, we can saely use our implementation o H as i we were using a monolithic random oracle H. This implies that our implementation o H will rule out all possible generic attacks. Having a good security deinition, we provide several provable constructions. We start by giving three modiications to the (insecure) plain Merkle-Damgård construction which yield a secure random oracle H taking arbitrary-length input, rom a compression unction viewed as a random oracle taking ixed-length input. This result can be viewed as a secure domain extender or the random oracle, which is an interesting result o independent interest. We remark that domain extenders are well studied or such primitives as collision-resistant hash unctions [14, 26], pseudorandom unctions [8], MACs [1, 25] and universal one-way hash unctions [7, 31]. Although the above works also showed that some variants o Merkle-Damgård yield secure domain extenders or the corresponding primitive in question, these results are not suicient to claim a domain extender or the random oracle. Our secure modiications to the plain Merkle-Damgård construction are the ollowing. (1) Preix-Free Encoding : we show that i the inputs to the plain MD construction are guaranteed to be preix-ree, then the plain MD construction is secure. (2) Dropping Some Output Bits : we show that by dropping a non-trivial number o output bits rom the plain MD chaining, we get a secure random oracle H even i the input is not encoded in the preix-ree manner. (3) Using NMAC construction (see Figure 8a): we show that by applying an independent hash unction g to the output o the plain MD chaining (as in the NMAC construction [8]), then once again we get a secure construction o an arbitrary-length random oracle H, in the random oracle model or and g. (4) Using HMAC Construction (see Figure 8b): we show a slightly modiied variant o the NMAC construction allowing us to conveniently build the unction g rom the compression unction itsel (as in [8] when going rom NMAC to HMAC)! In this latter variant, one implements a secure hash unction H by making two black-box calls to the plain Merkle-Damgård construction (with the same ixed IV and a given compression unction ): irst on (l + 1)-block input 0 κ m 1...m l, getting an n-bit output y, and then on one-block κ-bit input y (obtained by either truncating or padding y depending on whether or not κ > n), getting the inal output. However, in practice most hash-unction constructions are block-cipher based, either explicitly as in [30] or implicitly as or SHA-1. Thereore, we consider the question o designing an arbitrary-length random oracle H rom an ideal block cipher E, speciically concentrating on using the Merkle-Damgård construction with the Davies-Meyer compression unction (x,y) = E y (x) x, since this is the most practically relevant construction. We show that all o the our ixes to the plain MD chaining which worked when was a ixed-length random oracle, are still secure (in the ideal cipher model) when we plug in (x,y) = E y (x) x instead. Speciically, we can either use a preix-ree encoding, or drop a non-trivial number o output bits (this has already been used in practice in the design o hash unctions SHA-348 and SHA-224 [18], both obtained by dropping some output bits rom SHA-512 and SHA-256), or apply an independent random oracle g to the output o plain MD chaining, or use the optimized HMAC construction which allows us to build this unction g rom the ideal cipher itsel.

4 2 Deinitions In this section, we introduce the main notations and deinitions used throughout the paper. Our security notion or secure hash-unction is based on the notion o indierentiability o systems, introduced by Maurer et al. in [24]. This is an extension o the classical notion o indistinguishability, when one or more oracles are publicly available, such as random oracles or ideal ciphers. This notion is based on ideas rom the Universal Composition ramework introduced by Canetti in [10] and on the model o Pitzmann and Waidner [29]. The indierentiability notion in [24] is given in the ramework o random systems providing interaces to other systems, but equivalently we use this notion in the ramework o Interactive Turing Machines (as in [10]). We deine an ideal primitive as an algorithmic entity which receives inputs rom one o the parties and deliver its output immediately to the querying party. The ideal primitives that we consider in this paper are random oracles and ideal ciphers. A random oracle [4] is an ideal primitive which provides a random output or each new query. Identical input queries are given the same answer. An ideal cipher is an ideal primitive that models a random blockcipher E : {0,1} κ {0,1} n {0,1} n. Each key k {0,1} κ deines a random permutation E k = E(k, ) on {0,1} n. The ideal primitive provides oracle access to E and E 1 ; that is, on query (0,k,m), the primitive answers c = E k (m), and on query (1,k,c), the primitive answers m such that c = E k (m). We now proceed to the deinition o indierentiability [24] : Deinition 1. A Turing machine C with oracle access to an ideal primitive G is said to be (t D,t S,q,ε) indierentiable rom an ideal primitive F i there exists a simulator S, such that or any distinguisher D it holds that : Pr [ D C,G = 1 ] Pr [ D F,S = 1 ] < ε The simulator has oracle access to F and runs in time at most t S. The distinguisher runs in time at most t D and makes at most q queries. Similarly, C G is said to be (computationally) indierentiable rom F i ε is a negligible unction o the security parameter k (or polynomially bounded t D and t S ). As illustrated in Figure 1, the role o the simulator is to simulate the ideal primitive G so that no distinguisher can tell whether it is interacting with C and G, or with F and S; in other words, the output o S should look consistent with what the distinguisher can obtain rom F. Note that the simulator does not see the distinguisher s queries to F; however, it can call F directly when needed or the simulation. C G F S D Fig. 1. The indierentiability notion: the distinguisher D either interacts with algorithm C and ideal primitive G, or with ideal primitive F and simulator S. Algorithm C has oracle access to G, while simulator S has oracle access to F. In the rest o the paper, the algorithm C will represent the construction o an iterative hash-unction (such as the Merkle-Damgård construction recalled in the introduction). The

5 ideal primitive G will represent the underlying primitive used to build the hash-unction. G will be either a random oracle (when the compression unction is modelled as a random oracle), or an ideal block-cipher (when the compression unction is based on a block-cipher). The ideal primitive F will represent the random oracle that the construction C should emulate. Thereore, one obtains the ollowing setting : the distinguisher has oracle access to both the block-cipher and the hash-unction, and these oracles are implemented in one o the ollowing two ways: either the block-cipher E is chosen at random and the hash-unction C is constructed rom it, or the hash-unction H is chosen at random and the block-cipher is implemented by a simulator S with oracle access to H. Those two cases should be indistinguishable, that is the distinguisher should not be able to tell whether the block-cipher was chosen at random and the iterated hash-unction constructed rom it, or the hash-unction was chosen at random and the block-cipher then tailored to match that hash-unction. It is shown in [24] that i C G is indierentiable rom F, then C G can replace F in any cryptosystem, and the resulting cryptosystem is at least as secure in the G model as in the F model. For example, i a block-cipher based iterative hash unction is indierentiable rom a random oracle in the ideal cipher model, then the iterative hash-unction can replace the random oracle in any cryptosystem, and the resulting cryptosystem remains secure in the ideal cipher model i the original scheme was secure in the random oracle model. C G F P A P A' ε ε Fig. 2. The environment E interacts with cryptosystem P and attacker A. In the G model (let), P has oracle access to C whereas A has oracle access to G. In the F model, both P and A have oracle access to F We use the deinition o [24] to speciy what it means or a cryptosystem to be at least as secure in the G model as in the F model. A cryptosystem is modelled as an Interactive Turing Machine with an interace to an adversary A and to a public oracle. The cryptosystem is run by an environment E which provides a binary output and also runs the adversary. In the G model, cryptosystem P has oracle access to C whereas attacker A has oracle access to G. In the F model, both P and A have oracle access to F. The deinition is illustrated in Figure 2. Deinition 2. A cryptosystem is said to be at least as secure in the G model with algorithm C as in the F model, i or any environment E and any attacker A in the G model, there exists an attacker A in the F model, such that Pr [ E(P C, A G ) = 1 ] Pr [ E(P F, A F ) = 1 ] is a negligible unction o the security parameter k. Similarly, a cryptosystem is said to be computationally at least as secure, etc., i E, A and A are polynomial-time in k. The ollowing theorem rom [24] shows that security is preserved when replacing an ideal primitive by an indierentiable one :

6 Theorem 1. Let P be a cryptosystem with oracle access to an ideal primitive F. Let C be an algorithm such that C G is indierentiable rom F. Then cryptosystem P is at least as secure in the G model with algorithm C as in the F model. Proo. We only provide a proo sketch; see [24] or a ull proo. Let P be any cryptosystem, modelled as an Interactive Turing Machine. Let E be any environment, and A be any attacker in the G model. In the G model, P has oracle access to C whereas A has oracle access to ideal primitive G; moreover environment E interacts with both P and A. This is illustrated in Figure 3 (let part). C G F S A' P A P A D ε D ε Fig. 3. Construction o attacker A rom attacker A and simulator S. Since C G is indierentiable rom F (see Figure 1), one can replace (C, G) by (F,S) with only a negligible modiication o the environment s output distribution. As illustrated in Figure 3, by merging attacker A and simulator S, one obtains an attacker A in the F model, and the dierence in E s output distribution is negligible. 3 Domain Extension or Random Oracles In this section, we show how to construct an iterative hash-unction indierentiable rom a random oracle, rom a compression unction viewed as a random oracle. We start with two simple and intuitive constructions that do not work. 3.1 H(x) = (h(x)) or Random Oracle and Collision-Resistant One-way Hash-unction h One could hope to emulate a random oracle (with arbitrary-length input) by taking : C (x) = (h(x)) where : {0,1} n {0,1} n is modelled as a random oracle and h : {0,1} {0,1} n is any collision-resistant one-way hash-unction (not modelled as a random oracle). However, we show that such C is not indierentiable rom a random oracle; namely, we construct a distinguisher that can ool any simulator. As illustrated in Figure 4, the distinguisher irst generates an arbitrary m and computes u = h(m). Then it queries v = (u) to random oracle and queries z = C (m) to C. It then checks that z = v and outputs 1 in this case, and 0 otherwise. It is easy to see that the distinguisher always output 1 when interacting with C and, but outputs 0 with

7 C h H S C(m) = (h(m)) H(m) = S(h(m)) Fig. 4. The simulator cannot output H(m) since it only receives h(m) and cannot recover m rom h(m). overwhelming probability when interacting with H and any simulator S. Namely, when the distinguisher interacts with H and S, the simulator only receives u = h(m); thereore, in order to output v such that v = H(m), the simulator must either recover m rom h(m) (and then query H(m)) or guess the value o H(m), which can be done with only negligible probability. 3.2 Plain Merkle-Damgård Construction We show that the plain Merkle-Damgård construction (see Figure 5) ails to emulate a random oracle (taking arbitrary-length input) when the compression unction is viewed as a random oracle (taking ixed-length input). For simplicity, we only consider the usual Merkle- Damgård variant, although the discussion easily extends to the strengthened variant which appends the message length m at the last block : Function MD (m 1,...,m l ) : let y 0 = 0 n (more generally, some ixed IV value can be used) or i = 1 to l do y i (y i 1,m i ) return y l {0,1} n. where or all i, m i = κ and : {0,1} n+κ {0,1} n. m 1 m 2 m l IV y 1 y 2 y l Fig. 5. The plain Merkle-Damgård Construction We have already mentioned in introduction a counter-example based on MAC. Namely, we showed that MAC(k, m) = H(k m) provides a secure MAC in the random oracle model or H, but is completely insecure when H is replaced by the previous Merkle-Damgård construction MD, because o the message extension attack. In the ollowing, we give a more direct reutation based on the deinition o indierentiability, using again the message extension attack. We consider only one-block messages or two-block messages. For such messages, we have that MD (m 1 ) = (0,m 1 ) and MD (m 1,m 2 ) = ((0,m 1 ),m 2 ). We build a distinguisher that can ool any simulator as ollows. The distinguisher irst makes a MD -query or m 1 and receives u = MD (m 1 ). Then it makes a query or v = (u,m 2 ) to random oracle

8 . The distinguisher then makes a MD -query or (m 1,m 2 ) and eventually checks that v = MD (m 1,m 2 ); in this case it outputs 1, and 0 otherwise. It is easy to see that the distinguisher always outputs 1 when interacting with MD and. However, when the distinguisher interacts with H and S (who must simulate ), we observe that S has no inormation about m 1 (because S does not see the distinguisher s H-queries). Thereore, the simulator cannot answer v such that v = H(m 1,m 2 ), except with negligible probability. 3.3 Preix-ree Merkle-Damgård In this section, we show that i the inputs to the plain MD construction are guaranteed to be preix-ree, then the plain MD construction is secure. Namely, preix-ree encoding enables to eliminate the message expansion attack described previously. This ix is similar to the ix or the CBC-MAC [3], which is also insecure in its plain orm. Thus, the plain MD construction can be saely used or any application o the random oracle H where the length o the inputs is ixed or where one uses domain separation (e.g., prepending 0,1,... to dierentiate between inputs rom dierent domains). For other applications, one must speciically ensure that preix-reeness is satisied. A preix-ree code over the alphabet {0,1} κ is an eiciently computable injective unction g : {0,1} ({0,1} κ ) such that or all x y, g(x) is not a preix o g(y). Moreover, it must be easy to recover x given only g(x). We provide two examples o preix-ree encodings. The irst one consists in prepending the message size in bits as the irst block. The last block is then padded with the bit one ollowed by zeroes. Function g 1 (m) : let N be the message length o m in bits. write m as (m 1,...,m l ) where or all i, m i = κ and with the last block m l padded with 10 r. let g 1 (m) = ( N,m 1,...,m l ) where N is a κ-bit binary encoding o N. An important drawback o this encoding is that the message length must be known in advance; this can be a problem or streaming applications in which a large message must be processed on the ly. Our second encoding g 2 does not suer rom this drawback, but requires to waste one bit per block o the message : Function g 2 (m) : write m as (m 1,...,m l ) where or all i, m i = κ 1 and with the last block m l padded with 10 r. let g 2 (m) = (0 m 1,...,0 m l 1,1 m l ). Given any preix-ree encoding g, we consider the ollowing construction o the iterative hash-unction p-md g : {0,1} {0,1} n, using the Merkle-Damgård hash-unction MD : ({0,1} κ ) {0,1} n deined previously. Function p-md g(m) : let g(m) = (m 1,...,m l ) y MD (m 1,...,m l ) return y Theorem 2. The previous construction is (t D,t S,q,ǫ)-indierentiable rom a random oracle, in the random oracle model or the compression unction, or any t D, with t S = l O(q 2 ) and ǫ = 2 n l 2 O(q 2 ), where l is the maximum length o a query made by the distinguisher D. Proo. Due to lack o space, we only provide a proo sketch or a particular preix-ree encoding which has a simpler proo; the proo or any preix-ree encoding will be provided in the ull version o this paper.

9 The particular preix-ree encoding that we consider consists in adding the message-length as part o the input o ; moreover, the index o the current block is also included as part o the input o, so that can be viewed as an independent random oracle or each block m i. Speciically, we construct an iterative hash-unction C : ({0,1} κ ) {0,1} n rom a compression unction : {0,1} n+κ+2 t {0,1} n as ollows : Function C (m 1,...,m l ) : let y 0 = 0 n or i = 1 to l do y i (y i 1,m i, l, i ) return y l where or all i, m i = κ. The string l is a t-bit binary encoding o the message length l, and i is a t-bit encoding o the block index. The construction is shown in Figure 6. m 1 1 m 2 2 m l l l l l IV Fig. 6. Merkle-Damgård with a particular preix-ree encoding. In the ollowing, we show that C is indierentiable rom a random oracle, in the random oracle model or. Since the block-length l is part o the input o the compression unction, we have that C behaves independently or messages o dierent length. Thereore, we can restrict ourselves to messages o ixed length l, i.e. it suices to show that or all l, the construction C with message length l is indierentiable rom random oracle H l : ({0,1} κ ) l {0,1} n. We consider or all 1 j l the unction C j : ({0,1} κ ) j {0,1} n outputting the intermediate value y j in C. From the deinition o C, we have or all 2 j l : C j (m 1,...,m j ) = (C j 1 (m 1,...,m j 1 ),m j, l, j ) (1) We provide a recursive proo that or all j, the construction C j is indierentiable rom a random oracle. The result or C will ollow or j = l. The property clearly holds or j = 1. Assuming now that it holds or j 1, we show that it holds or j. We use the ollowing lemma : Lemma 1. Let h 1 : {0,1} a {0,1} n and h 2 : {0,1} n+κ {0,1} n. The construction R h1,h2 = h 2 (h 1 (x),y) is indierentiable rom a random oracle, in the random oracle model or h 1 and h 2. Replacing C j 1 by h 1 and (, l, j ) by h 2 in equation (1), one then obtains that C j is indierentiable rom a random oracle (see Figure 7 or an illustration). We now proceed to the proo o lemma 1; due to lack o space, we only provide a proo sketch. One must construct a simulator S such that interacting with (R,(h 1,h 2 )) is indistinguishable rom interacting with (H, S), where H is a random oracle. Our simulator is deined as ollows :

10 m 1 1 m 2 2 m 3 3 l l l IV H Fig. 7. The output o irst two blocks is replaced by a random oracle using Lemma 1. Simulator S : On h 1 -query x, return a random v {0,1} n. On h 2 -query (v,y), check i v = h 2 (x ) or some previously queried x. In this case, query (x,y) to H and output H(x,y). Otherwise return a random output. The distinguisher either interacts with (R,(h 1,h 2 )) or with (H,S). We denote by F the event that a collision occurs or h 1, that is h 1 (x) = h 1 (x ) or some distinct queries x,x. We denote by F the event that the distinguisher makes a h 2 -query (v,y) such that v = h 1 (x) and (x,y) was previously queried to R, but x was never queried directly to h 1 by the distinguisher. We claim that conditioned on the complement o F F, the simulation o S is perect (see the ull paper or a complete justiication). The distinguishing probability is then at most Pr[F F ]; or a distinguisher making at most q queries, this gives: Pr[F F ] 2q2 2 n which shows a negligible distinguishing probability. 3.4 The Chop Solution In this section, we show that by removing a raction o the output o the plain Merkle- Damgård construction MD, one obtains a construction indierentiable rom a random oracle. This ix is similar to the method used by Dodis et al. [15] to overcome the problem o using plain MD chaining or randomness extraction rom high-entropy distributions, and to the suggestion o Lucks [23] to increase the resilience o plain MD chaining to multi-collision attacks. It is also already used in practice in the design o hash unctions SHA-348 and SHA- 224 [18] (both obtained by dropping some output bits rom SHA-512 and SHA-256). Here we show that by dropping a non-trivial number o output bits rom the plain MD chaining, one gets a secure random oracle H even i the input is not encoded in the preix-ree manner. For example, such dropping prevents the extension attacks we saw in the MAC application, since the attacker cannot guess the value o the dropped bits, and cannot extend the output o the MAC to a valid MAC o a longer message. Formally, given a compression unction : {0,1} n+κ {0,1} n, the new construction chop-md s is deined as ollows : Function chop-md s(m) : let m = (m 1,...,m l ) y MD (m 1,...,m l ) return the irst n s bits o y.

11 Theorem 3. The chop-md s construction is (t D,t S,q,ǫ) indierentiable rom a random oracle, or any t D, with t S = l O(q 2 ) and ǫ = 2 s l 2 O(q 2 ). Here l is the maximum length o a query made by the distinguisher D. While really simple, the drawback o this method is that its exact security is proportional to q 2 2 s, where s is the number o chopped bits and q is the number o oracle queries. Thus, to achieve adequate security level the value o s has to be relatively high, which means that short-output hash unctions such as SHA-1 and MD5 cannot be ixed using this method. However, unctions such as SHA-512 can naturally be ixed (say, by setting s = 256). 3.5 The NMAC and HMAC constructions The NMAC construction [8], which is the basis o the popular HMAC construction, applies an independent hash unction g to the output o the plain MD chaining. It has been shown very valuable in the design o MACs [8], and recently also randomness extractors [15]. Here we show that i g is modelled as another ixed-length random oracle independent rom the random oracle (used or the compression unction), then once again one gets a secure construction o an arbitrary-length random oracle H, even i plain MD chaining is applied without preixree encoding. Intuitively, applying g gives another way to hide the output o the plain MD chaining, and thus prevent the extension attack described earlier. Formally, given : {0,1} n+κ {0,1} n and g : {0,1} n {0,1} n, the unction NMAC,g is deined as (see Figure 8a): Function NMAC,g (m) : let m = (m 1,...,m l ) y MD (m 1,...,m l ) Y g(y) return Y Theorem 4. The construction NMAC,g is (t D,t S,q,ǫ) indierentiable rom a random oracle or any t D, t S = l O(q 2 ) and ǫ = 2 min(n,n ) l 2 O(q 2 ), in the random oracle model or and g, where l is the maximum message length queried by the distinguisher. To practically instantiate this suggestion, we would like to implement and g rom a single compression unction. This problem is analogous to the problem in going rom NMAC to HMAC in [8], although our solution is slightly dierent. One simple way or achieving this is to use domain separation: e.g., by prepending 0 or calls to and 1 or calls to g. However, with this modeling we are eectively using the preix-ree encoding mapping m 1 m 2...m l to 0m 1 0m 2...0m l 10 κ, which appears slightly wasteul. Additionally, this also orces us to go into the lower-level implementation details or the compression unction, which we would like to avoid. Instead, our solution consists in applying two black-box calls to the plain Merkle- Damgård construction MD (with the same and IV ) : irst to the input 0 κ m 1...m l, getting an n-bit output y, and again to κ-bit y, where y is deined rom y as ollows (see Figure 8b): Function HMAC (m) : let m = (m 1,...,m l ) let m 0 = 0 κ y MD (m 0,m 1,...,m l ) i n < κ then y y 0 κ n else y y κ Y MD (y ) return Y

12 Intuitively, we are almost using the NMAC construction with g(y) = (IV,y ) (where y is obtained rom y as above), except we prepend a ixed block m 0 = 0 κ to our message. This latter tweak is done to ensure that there are no inter-dependencies between using the same IV on y and the irst message block (which would have been under adversarial control had we not prepended m 0 ). Indeed, it is very unlikely that high-entropy y will ever be equal to m 0 = 0 κ, so the analysis or NMAC can be easily extended or this optimization. Theorem 5. The construction HMAC is (t D,t S,q,ǫ) indierentiable rom a random oracle or any t D, t S = l O(q 2 ) and ǫ = 2 min(n,κ) l 2 O(q 2 ), in the random oracle model or, where l is the maximum message length queried by the distinguisher. m 1 m 2 m l IV g y 1 y 2 y l Y a. NMAC construction 0 κ m 1 m l y l IV y 0 y 1 Y b. HMAC construction Fig. 8. The NMAC and HMAC constructions 4 Constructions using Ideal Cipher In practice, most hash-unction constructions are block-cipher based, either explicitly as in [30] or implicitly as or SHA-1. Thereore, we consider the question o designing an arbitrarylength random oracle H rom an ideal block cipher E : {0,1} κ {0,1} n {0,1} n, speciically concentrating on using the Merkle-Damgård construction with the Davies-Meyer compression unction (x,y) = E y (x) x (see Figure 9), since this is the most practically relevant construction. We notice that the question o designing a collision-resistant hash unction H rom an ideal block cipher was explicitly considered by Preneel, Govaerts and Vandewalle in [30], and latter ormalized and extended by Black, Rogaway and Shrimpton [9]. Speciically, the authors o [9] actually considered 64 block-cipher variants o the Merkle-Damgård transorm (which included the Davies-Meyer variant among them), and ormally showed that exactly 20 o these variations (including the Davies-Meyer variant) are collision-resistant when the block cipher E is modeled as an ideal cipher. However, while our work will also model E as an ideal cipher, our security goal is considerably stronger than mere collision-resistance. Indeed, we already pointed out that none o the 64 variants above can withstand the extension attack on the MAC application, even with the Merkle-Damgård strengthening. And even when restricting to a ixed number o blocks l (which invalidates the extension attack),

13 collision-resistance is completely insuicient or our purposes. For example, the authors o [9] show the collision-resistance when using the plain MD chaining with ixed IV and compression unction (x,y) = E y (x). On the other hand, it is easy to see that this method does not provide a secure random oracle H according to our deinition. y y x x E Fig. 9. The Davies-Meyer Compression unction From a dierent direction, i we could show that the Davies-Meyer compression unction (x,y) = E y (x) x is a secure random oracle when E is an ideal block-cipher, then we could directly apply any o the three ixes discussed above. Unortunately, this is again not the case: intuitively, the above construction allows anybody to compute x rom (x,y) x and y (since x = Ey 1 ((x,y) x)), which should not be the case i was a true random oracle. Thus, we need a direct proo to argue the security o the Davies-Meyer construction. Luckily, using such direct proos we indeed argue that all o the ixes to the plain MD chaining which worked when was a ixed-length random oracle, are still secure when (x,y) = E y (x) x is used instead. Namely, we can either use a preix-ree encoding, or drop a non-trivial number o output bits, or apply an independent random oracle g to the output o plain MD chaining. With respect to this latter ix, we also show that we can implement this independent g using the ideal cipher itsel, similarly to the case with an ideal compression unction. Formally, given a block-cipher E : {0,1} κ {0,1} n {0,1} n, the plain Merkle-Damgård hashunction with Davies-Meyer s compression unction is deined as : Function MD E (m 1,...,m l ) : let y 0 = 0 n (more generally, some ixed IV value can be used) or i = 1 to l do y i E mi (y i 1 ) y i 1 return y l {0,1} n. where or all i, m i = κ. The block-cipher based iterative hash-unctions p-md E g, chop-md E s, NMAC E g and HMAC E are then deined as in section 3, using MD E instead o MD. The proo o the ollowing theorem is given in the ull version o this paper. Theorem 6. The block-cipher based constructions p-md E g, chop-md E s, NMAC E g and HMAC E are (t D,t S,q,ǫ)-indierentiable rom a random oracle, in the ideal cipher model or E, or any t D and t S = l O(q 2 ), with ǫ = 2 n l 2 O(q 2 ) or p-md E g, ǫ = 2 s l 2 O(q 2 ) or chop-md E s, ǫ = 2 min(n,n ) l 2 O(q 2 ) or NMAC E g and ǫ = 2 min(κ,n) l 2 O(q 2 ) or HMAC E. Here l is the maximum message length queried by the distinguisher. 5 Conclusion In this paper, we have introduced a new security notion or hash-unctions that enables to eliminate all possible generic attacks. We have noticed that the current iterative hash unctions like SHA-1 and MD5 do not satisy our security notion, and showed several practically

14 motivated, easily implementable and provably secure ixes to the plain Merkle-Damgård transormation. Speciically, one can either ensure that all the inputs appear in the preix-ree orm, or drop a nontrivial number o the output bits (this has already been used in practice in the design o hash unctions SHA-348 and SHA-224 [18], both obtained by dropping some output bits rom SHA-512 and SHA-256), or, when the above methods are not applicable apply an independent ixed-length hash unction to the output, which, as we illustrated, can be conveniently implemented using the corresponding building block itsel. We do not claim that the constructions in the paper are the best possible to achieve this security notion. However, we strongly believe that this notion should be a design criteria or uture hash unctions, as it eliminates a weakness in current hash-unction design, and can be implemented eiciently and with minimal changes. We believe that it is important to eliminate all possible generic attacks right rom the beginning, and not to rely on adhoc external constructions to eliminate these attacks. Thereore, we encourage the research community to investigate other possible constructions satisying this security notion. Reerences 1. J. H. An, M. Bellare, Constructing VIL-MACs rom FIL-MACs: Message Authentication under Weakened Assumptions, CRYPTO 1999, pages Mihir Bellare, Alexandra Boldyreva and Adriana Palacio. An Uninstantiable Random-Oracle- Model Scheme or a Hybrid-Encryption Problem. Proccedings o Eurocrypt M. Bellare, J. Kilian, and P. Rogaway. The Security o Cipher Block Chaining. In Crypto 94, pages , LNCS No M. Bellare and P. Rogaway, Random oracles are practical : a paradigm or designing eicient protocols. Proceedings o the First Annual Conerence on Computer and Commmunications Security, ACM, M. Bellare and P. Rogaway, The exact security o digital signatures - How to sign with RSA and Rabin. Proceedings o Eurocrypt 96, LNCS vol. 1070, Springer-Verlag, 1996, pp M. Bellare and P. Rogaway, Optimal Asymmetric Encryption, Proceedings o Eurocrypt 94, LNCS vol. 950, Springer-Verlag, 1994, pp M. Bellare and P. Rogaway, Collision-Resistant Hashing: Towards Making UOWHFs Practical, In Crypto 97, LNCS Vol M. Bellare, R. Canetti, and H. Krawczyk, Pseudorandom Functions Re-visited: The Cascade Construction and Its Concrete Security, In Proc. 37th FOCS, pages IEEE, J. Black, P. Rogaway, T. Shrimpton, Black-Box Analysis o the Block-Cipher-Based Hash- Function Constructions rom PGV, in Advances in Cryptology - CRYPTO 2002, Caliornia, USA. 10. R. Canetti, Universally Composable Security: A New Paradigm or Cryptographic Protocols, proceedings o the 42nd Symposium on Foundations o Computer Science (FOCS), Cryptology eprint Archive, Report 2000/067, R. Canetti, O. Goldreich and S. Halevi, The random oracle methodology, revisited, STOC 98, ACM, Ran Canetti, Oded Goldreich and Shai Halevi. On the random oracle methodology as applied to Length-Restricted Signature Schemes. In Proceedings o Theory o Cryptology Conerence, pp , J.S. Coron, Y. Dodis, C. Malinaud and P. Puniya, Merkle-Damgård Revisited : how to Construct a Hash Function, Proceedings o Crypto I. Damgård, A Design Principle or Hash Functions, In Crypto 89, pages , LNCS No Y. Dodis, R. Gennaro, J. Håstad, H. Krawczyk, and T. Rabin, Randomness Extraction and Key Derivation Using the CBC, Cascade and HMAC Modes, Advances in Cryptology - CRYPTO, August Y. Dodis, R. Oliveira, K. Pietrzak, On the Generic Insecurity o the Full Domain Hash, Advances in Cryptology - CRYPTO, August FIPS 180-1, Secure hash standard, Federal Inormation Processing Standards Publication 180-1, U.S. Department o Commerce/N.I.S.T., National Technical Inormation Service, Springield, Virginia, April (supersedes FIPS PUB 180).

15 18. National Institute o Standards and Technology (NIST). Secure hash standard. FIPS August RFC 1321, The MD5 message-digest algorithm, Internet Request or Comments 1321, R.L. Rivest, April Shai Goldwasser and Yael Tauman. On the (In)security o the Fiat-Shamir Paradigm. In Proceedings o the 44th Annual IEEE Symposium on Foundations o Computer Science (2003), H. Handschuh and D. Naccache, SHACAL, In B. Preneel, Ed., First Open NESSIE Workshop, Leuven, Belgium, November 13-14, M. Luby and C. Racko, How to construct pseudo-random permutations rom pseudo-random unctions, SIAM J. Comput., Vol. 17, No. 2, April Stean Lucks. Design Principles or Iterated Hash Functions, available at E-Print Archive, U. Maurer, R. Renner, and C. Holenstein, Indierentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology, Theory o Cryptography - TCC 2004, Lecture Notes in Computer Science, Springer-Verlag, vol. 2951, pp , Feb Ueli Maurer and Johan Sjodin. Single-key AIL-MACs rom any FIL-MAC, In ICALP 2005, July R. Merkle, One way hash unctions and DES, Advances in Cryptology, Proc. Crypto 89, LNCS 435, G. Brassard, Ed., Springer-Verlag, 1990, pp Jesper Buus Nielsen. Separating Random Oracle Proos rom Complexity Theoretic Proos: The Non-Committing Encryption Case. In Advances in Cryptology - Crypto 2002 Proceedings (2002), PKCS #1 v2.1, RSA Cryptography Standard (drat), document available at security.com/rsalabs/pkcs. 29. B. Pitzmann and M. Waidner, A model or asynchronous reactive systems and its application to secure message transmission. In IEEE Symposium on Security and Privacy, pages IEEE Computer Society Press, B. Preneel, R. Govaerts and J. Vandewalle, Hash Functions Based on Block Ciphers: A Synthetic Approach, in Advances in Cryptology - CRYPTO 93,, Santa Barbara, Caliornia, USA. 31. V. Shoup, A composition theorem or universal one-way hash unctions, In Eurocrypt 00, pp , LNCS Vol R. Winternitz, A secure one-way hash unction built rom DES, in Proceedings o the IEEE Symposium on Inormation Security and Privacy, pages IEEE Press, 1984.