Cryptology ePrint Archive: Report 2018/625

Better Than Advertised: Improved Collision-Resistance Guarantees for MD-Based Hash Functions

Mihir Bellare and Joseph Jaeger and Julia Len

Abstract: The MD transform that underlies the MD and SHA families iterates a compression function $\mathsf{h}$ to get a hash function $\mathsf{H}$. The question we ask is, what property X of $\mathsf{h}$ guarantees collision resistance (CR) of $\mathsf{H}$? The classical answer is that X itself be CR. We show that weaker conditions X, in particular forms of what we call constrained-CR, suffice. This reduces demands on compression functions, to the benefit of security, and also, forensically, explains why collision-finding attacks on compression functions have not, historically, lead to immediate breaks of the corresponding hash functions. We obtain our results via a definitional framework called RS security, and a parameterized treatment of MD, that also serve to unify prior work and variants of the transform.

Category / Keywords: hash functions, MD transform, SHA, collision resistance

Original Publication (with major differences): ACM CCS 2017

Date: received 21 Jun 2018

Contact author: jlen2734 at gmail com

Available format(s): PDF | BibTeX Citation

Version: 20180622:150124 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]