Indifferentiable Security Analysis of Popular Hash Functions with Prefix-Free Padding
نویسندگان
چکیده
Understanding what construction strategy has a chance to be a good hash function is extremely important nowadays. In TCC’04, Maurer et al. [13] introduced the notion of indifferentiability as a generalization of the concept of the indistinguishability of two systems. In Crypto’2005, Coron et al. [5] suggested to employ indifferentiability in generic analysis of hash functions and started by suggesting four constructions which enable eliminating all possible generic attacks against iterative hash functions. In this paper we continue this initial suggestion and we give a formal proof of indifferentiability and indifferentiable attack for prefix-free MD hash functions (for single block length (SBL) hash and also some double block length (DBL) constructions) in the random oracle model and in the ideal cipher model. In particular, we observe that there are sixteen PGV hash functions (with prefix-free padding) which are indifferentiable from random oracle model in the ideal cipher model.
منابع مشابه
A synthetic indifferentiability analysis of some block-cipher-based hash functions
Nowadays, investigating what construction is better to be a cryptographic hash function is red hot. In [13], Maurer et al. first introduced the notion of indifferentiability as a generalization of the concept of the indistinguishability of two cryptosystems. At ASIACRYPT’06, Chang et al. [6] analyzed the indifferentiability security of some popular block-cipher-based hash functions, such as PGV...
متن کاملOn Indifferentiable Hash Functions in Multi-Stage Security Games
It had been widely believed that the indifferentiability framework ensures composition in any security game. However, Ristenpart, Shacham, and Shrimpton (EUROCRYPT 2011) demonstrated that for some multi-stage security, there exists a cryptosystem which is secure in the random oracle (RO) model but is broken when some indifferentiable hash function is used. However, this does not imply that for ...
متن کاملSecurity of Practical Cryptosystems Using Merkle-Damgård Hash Function in the Ideal Cipher Model
Since the Merkle-Damg̊ard (MD) type hash functions are differentiable from ROs even when compression functions are modeled by ideal primitives, there is no guarantee as to the security of cryptosystems when ROs are instantiated with structural hash functions. In this paper, we study the security of the instantiated cryptosystems whereas the hash functions have the well known structure of Merkle-...
متن کاملDavies-Meyer Merkle-Damg̊ard Revisited: Variants of Indifferentiability and Random Oracles
In this paper, we discuss the security of cryptosystems that use hash function DM-MD that is Davies-Meyer Merkle-Damg̊ard with ideal cipher E. DM-MD is not indifferentiable from random oracle (RO) due to the extension attack and the inverse attack. From the indifferentiability theory, there is some cryptosystem that is secure in the RO model but insecure when RO is replaced with DM-MD . However,...
متن کاملCharacterizing Padding Rules of MD Hash Functions Preserving Collision Security
This paper characterizes collision preserving padding rules and provides variants of Merkle-Damg̊ard (MD) which are having less or no overhead costs due to length. We first show that suffix-free property of padding rule is necessary as well as sufficient to preserve the collision security of MD hash function for an arbitrary domain {0, 1}∗. Knowing this, we propose a simple suffix-free padding r...
متن کامل