Ivan Damg ard. A design principle for hash functions. In Advances in Cryptology - CRYPTO'89, volume 435 of Lecture Notes in Computer Science, pages 416--427, Berlin, New York, Tokyo, 1990. Springer-Verlag.  Home/Search   Document Not in Database   Summary   Related Articles   Check

.... cryptographic hash function (CRH) H is a function that hashes arbitrarily long inputs to outputs of fixed length k (say, k = 128 bits) while guaranteeing that it is computationally infeasible to find x 6= y such that H(x) H(y) The construction of CRHs, due to Merkle [13] and Damgard [7], is as follows. First design a compression function h that takes two inputs of fixed length one of k bits and the other of b bits and outputs a k bit string. Make sure that h is collisionresistant (i.e. it should be infeasible to find (a; x) 6= a such that h(a; x) h(a ) ....

I. DAMG ARD, "A design principle for hash functions," Advances in Cryptology -- Crypto 89 Proceedings, Lecture Notes in Computer Science Vol. 435, G. Brassard ed., Springer-Verlag, 1989.

....in a keyed mode and assume it to be a UOWHF. It seems more reasonable to make this assumption when the domain is a short string rather than an arbitrarily long string. This leads to the question of extending the domain of a UOWHF while preserving the UOWHF property. The Merkle Damg ard algorithm [2, 3] is a well known method of extending the domain of a collisionresistant hash function. However, as shown in [1] this method does not work in the case of a UOWHF. Several constructions for extending the domain of a UOWHF is presented in [1] These constructions assume the existence of a UOWHF fh k ....

....dlog 2 jPje dlog 2 jKje. From a practical point of view a major motivation is to minimise this increase in the key length. 3 Known Algorithms We brie y discuss the domain extending algorithms for UOWHFs which have already been proposed. 3. 1 Sequential Algorithm The Merkle Damg ard construction [3, 2] is a well known construction for extending the domain of a collision resistant hash function. However, Bellare and Rogaway [1] showed that the construction does not directly work in the case of UOWHF. In [9] Shoup presented a modi cation of the MD construction. We brie y describe the Shoup ....

I. B. Damgard. A design principle for hash functions. Lecture Notes in Computer Science, 435 (1990), 416-427 (Advances in Cryptology - CRYPTO'89). 14

....of having a practical scheme is still open. Conclusion As explained in the Introduction, there were several proposals for provably secure signature schemes. However, in all cases, the security was at the cost of a considerable loss in terms of eciency. Concerning blind signatures, Damg ard [15], P tzmann and Waidner [39] and more recently at Crypto 97, Juels et al. 32] have presented some blind signature schemes with a complexity based proof of security. Again, the security is at the cost of ineciency. In the weaker setting o ered by the random oracle model, we have provided ....

I. B. Damgard. A Design Principle for Hash Functions. In Crypto '89, LNCS 435, pages 416-427. Springer-Verlag, Berlin, 1990.

.... h i 1 h i h i 1 h i Figure 3: The compression functions f 1 ; f 20 for the 20 collision resistant hash functions H 1 ; H 20 . A hatch marks the location for the key. 5 Discussion. As with [7] we do not concern ourselves with MD strengthening [3, 6], wherein strings are appropriately padded so that any M 2 f0; 1g may be hashed. Simple results establish the security of the MD strengthened hash function H one gets from a secure multiple of block length hash function H. All of our attacks work just as well in the presence of ....

....showing the collision resistance of f 1 ; f 12 with the classical result, stated for the black box model, showing that a hash function is collision resistant if its compression function is. For completeness, the proof of the following is given in Appendix C.1. Lemma 3. 2 [Merkle Damg ard [3, 6] in the black box model] Let f be a compression function f : Bloc(n; n) f0; 1g and let H be the iterated hash of f . Then Adv H (q) Algorithm SimulateOracles(A; n) Initially, i 0 and E k (x) unde ned for all (k; x) 2 f0; 1g , answering oracle queries as follows: When A ....

I. Damgard. A design principle for hash functions. In G. Brassard, editor, Advances in Cryptology { CRYPTO '89, volume 435 of Lecture Notes in Computer Science. Springer-Verlag, 1990.

....assumption when the input is a short xed length string rather than in the case where the input can be arbitrarily long strings. This brings us to the problem of extending the domain of UOWHF in a secure manner. For CRHF a technique for doing this has been described by Merkle [3] and Damg ard [2]. However, in [1] it has been shown that this construction fails for UOWHFs. A consequence of this result is that any extension of the domain of a UOWHF entails an increase in the size of the key to the hash function. It has been shown in [1] that by signing (k; h k (x) k is the key, x is the ....

I. B. Damgard. A design principle for hash functions. Lecture Notes in Computer Science, 435 (1990), 416-427 (Advances in Cryptology - CRYPTO'89).

....to be impossible to verify for hash functions used in practice; the second assumption ignores the possibility that there could exist practical preimage nding algorithms that are successful on some (but not all) inputs. 4 The Merkle Damg ard Construction The Merkle Damg ard construction (see [7, 5]) is a method of extending a nite hash function (i.e. a compression function) to one with in nite domain. We review this method, as presented in [9, x7.5] Suppose that f : f0; 1g m f0; 1g t is a hash function, where m t 2. The Merkle Damg ard construction produces a related function, ....

I.B. Damg ard. A design principle for hash functions. Lecture Notes in Computer Science, 435 (1990), 416-427 (Advances in Cryptology { CRYPTO '89.)

....which works with a xed input length . 2 More precisely, the MAC is the output of the function, but we will improperly call the function a MAC. 3 Note that arbitrary bit strings do not always have an integral number of blocks. For this we must use a padding scheme like the Merkle Damg ard [8,13] one in order to transform an arbitrary string into a string with an integral number of blocks. In this paper we prove the security for padded messages which induces the security for the whole scheme with the padding scheme. 5 Theorem 5 (Bellare Kilian Rogaway 1994 [6] For any xed integer , ....

I. B. Damgard. A Design Principle for Hash Functions. In Advances in Cryptology CRYPTO'89, Santa Barbara, California, U.S.A., Lectures Notes in Computer Science 435, pp. 416-427, Springer-Verlag, 1990.

....and message authentication codes. We concentrate on a particular class of cryptography hash functions, which we call iterated constructions. Iterated constructions. A particular methodology for constructing collision resistant hash function has been proposed by Merkle [Me] and later by Damgard [Da]. This methodology forms the basis for the design of the most common cryptographic hash functions like MD5 and SHA. It is based on a basic component called compression function which processes short fixed length inputs, and is then iterated in a particular way in order to hash arbitrarily long ....

....2; n. See Figure 2. Notice that a way to pad messages to an exact multiple of b bits needs to be defined, in particular, MD5 and SHA pad inputs to always include an encoding of their length. The motivation for this iterative structure arises from the observation (of Merkle [Me] and Damgard [Da]) that if the compression function is collision resistant then so is the resultant iterated hash function. The converse is not necessarily true) Thus, this structure provides a general design criterion for collision resistant hash functions since. Namely, it reduces the problem to the design of ....

I. Damg ard, "A design principle for hash functions," Advances in Cryptology -- Crypto 89 Proceedings, Lecture Notes in Computer Science Vol. 435, G. Brassard ed., Springer-Verlag, 1989.

....Impagliazzo and Naor [6] did discuss constructions for pseudo random bit generators and universal one way hash functions, which are as secure as the Subset Sum problem. This is NP hard. A one way hash function very similar to Impagliazzo s and Naor s scheme was suggested the same year by Damgard [4]. This was broken by Camion and Patarin [2] using essentially brute force and applying the birthday paradox. We conclude that Damgard s scheme did not fall due to an inherent feasibility of the Subset Sum problem. Anyway the Subset Sum problem may be too easy for cryptography. The whole theory ....

I. Damg ard, Design Principles for Hash Functions, in: Proc. Crypto '89, Springer LNCS 435, 416-427.

No context found.

Ivan Damg ard. A design principle for hash functions. In Advances in Cryptology - CRYPTO'89, volume 435 of Lecture Notes in Computer Science, pages 416--427, Berlin, New York, Tokyo, 1990. Springer-Verlag.

No context found.

I.B. Damg ard. A design principle for hash functions. Lecture Notes in Computer Science, 435 (1990), 416-427 (Advances in Cryptology { CRYPTO '89.)

No context found.

I. B. Damg ard. A design principle for hash functions, Advances in Cryptology - Crypto'89, Lecture Notes in Computer Sciences, Vol. 435, Springer-Verlag, pp. 416427, 1989.

No context found.

I. B. Damgard. A design principle for hash functions. Lecture Notes in Computer Science, 435 (1990), 416-427 (Advances in Cryptology - CRYPTO'89).

No context found.

I. B. Damgard. A design principle for hash functions. Lecture Notes in Computer Science, 435 (1990), 416-427 (Advances in Cryptology - CRYPTO'89).

No context found.

I. B. Damgard. A design principle for hash functions. Lecture Notes in Computer Science, 435 (1990), 416-427 (Advances in Cryptology - CRYPTO'89).

No context found.

I. B. Damgard. A design principle for hash functions. Lecture Notes in Computer Science, 435 (1990), 416-427 (Advances in Cryptology - CRYPTO'89).

No context found.

Ivan Damgard. A Design Principle for Hash Functions. In Gilles Brassard, editor, Advances in Cryptology|CRYPTO '89, volume 435 of Lecture Notes in Computer Science, pages 416-427. Springer-Verlag, 1990, 20-24 August 1989.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC